GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
597 advisories
Filter by severity
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
High
CVE-2026-42575
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
Dolibarr has Insufficient Verification of Data Authenticity
Low
CVE-2026-7689
was published
for
dolibarr/dolibarr
(Composer)
May 3, 2026
A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function...
Moderate
Unreviewed
CVE-2026-7611
was published
May 2, 2026
A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function...
Moderate
Unreviewed
CVE-2026-7606
was published
May 2, 2026
Hickory DNS's Record Cache Accepts AUTHORITY-Section NS from Sibling Zone via Parent-Pool Zone-Context Elevation
High
GHSA-83hf-93m4-rgwq
was published
for
hickory-recursor
(Rust)
Apr 30, 2026
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via...
Moderate
Unreviewed
CVE-2026-6498
was published
Apr 30, 2026
OpenID Connect nonce generated but never validated — ID token replay attack
Moderate
CVE-2026-42206
was published
for
roadiz/openid
(Composer)
Apr 29, 2026
OpenClaw: Isolated cron awareness events were recorded as trusted system events
Low
CVE-2026-44999
was published
for
openclaw
(npm)
Apr 25, 2026
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the...
Moderate
Unreviewed
CVE-2026-6986
was published
Apr 25, 2026
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
High
CVE-2026-35051
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
High
CVE-2026-41432
was published
for
github.com/QuantumNous/new-api
(Go)
Apr 24, 2026
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
Critical
CVE-2026-33471
was published
for
nimiq-block
(Rust)
Apr 22, 2026
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
Moderate
CVE-2026-43534
was published
for
openclaw
(npm)
Apr 17, 2026
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server
Moderate
GHSA-p7mm-r948-4q3q
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Defense in Depth update for NuGet Client
Low
GHSA-g4vj-cjjj-v7hg
was published
for
NuGet.CommandLine
(NuGet)
Apr 14, 2026
SP1 V6 Recursion Circuit Row-Count Binding Gap
High
CVE-2026-40323
was published
for
sp1_prover
(Rust)
Apr 14, 2026
When calling base64.b64decode() or related functions the decoding process would stop after...
Moderate
Unreviewed
CVE-2026-3446
was published
Apr 10, 2026
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Low
CVE-2026-40109
was published
for
github.com/fluxcd/notification-controller
(Go)
Apr 10, 2026
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
High
CVE-2026-40037
was published
for
openclaw
(npm)
Apr 9, 2026
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
Moderate
CVE-2026-39411
was published
for
@lobehub/lobehub
(npm)
Apr 8, 2026
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Critical
CVE-2026-39324
was published
for
rack-session
(RubyGems)
Apr 8, 2026
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
Moderate
CVE-2026-39366
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More...
Moderate
Unreviewed
CVE-2026-3177
was published
Apr 7, 2026
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
High
CVE-2026-34511
was published
for
openclaw
(npm)
Apr 4, 2026
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
High
CVE-2026-35042
was published
for
fast-jwt
(npm)
Apr 3, 2026
ProTip!
Advisories are also available from the
GraphQL API