Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

195 advisories

Loading
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
OpenClaw: Matrix allowFrom could bind to mutable display names High
CVE-2026-53811 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Slack allowFrom could bind to mutable display names High
GHSA-c29c-2q9c-pc86 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Control UI locality spoofing could mint a durable admin device token High
CVE-2026-53817 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers High
GHSA-rggc-m335-3wvj was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header High
GHSA-rjr7-jggh-pgcp was published for github.com/go-chi/chi/middleware (Go) Jun 25, 2026
rezmoss Credited to rezmoss
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers High
CVE-2026-25119 was published for gogs.io/gogs (Go) Jun 22, 2026
tenbbughunters Credited to tenbbughunters
OpenClaw: Discord allowFrom could bind to mutable display names High
CVE-2026-53849 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Zalo allowFrom could bind to mutable display names High
CVE-2026-53857 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
Heimdall: IP Spoofing via Unvalidated Forwarding Headers High
GHSA-38x9-25wx-7fg2 was published for https://github.com/dadrus/heimdall (Go) Jun 18, 2026
Duplicate Advisory: Zalo allowFrom could bind to mutable display names High
GHSA-w7m7-3xcf-mp48 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Discord allowFrom could bind to mutable display names High
GHSA-p44v-rx83-vjp4 was published for openclaw (npm) Jun 16, 2026 withdrawn
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions. High Unreviewed
CVE-2026-27089 was published Jun 15, 2026
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
ProTip! Advisories are also available from the GraphQL API