Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,048 advisories

Loading
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter Moderate
CVE-2026-34738 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Open WebUI has Broken Access Control in Tool Valves High
CVE-2026-34222 was published for open-webui (pip) Apr 1, 2026
timoles Credited to timoles and sec-consult sec-consult sec-consult
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking High
CVE-2026-32716 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
baserCMS has Mail Form Acceptance Bypass via Public API Moderate
CVE-2026-30878 was published for baserproject/basercms (Composer) Mar 31, 2026
melonattacker Credited to melonattacker
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-1710 was published Mar 31, 2026
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy Moderate
CVE-2026-35620 was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Moderate
CVE-2026-35661 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision Moderate
CVE-2026-35635 was published for openclaw (npm) Mar 26, 2026
tdjackey Credited to tdjackey
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions Moderate
CVE-2026-35662 was published for openclaw (npm) Mar 26, 2026
space08 Credited to space08
Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions Moderate
CVE-2026-21724 was published for github.com/grafana/grafana (Go) Mar 26, 2026
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation Low
CVE-2026-35649 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
CVE-2026-35652 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect High
CVE-2026-33668 was published for code.vikunja.io/api (Go) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API