GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
62 advisories
Filter by severity
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
OpenClaw: Matrix allowFrom could bind to mutable display names
High
CVE-2026-53811
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack allowFrom could bind to mutable display names
High
GHSA-c29c-2q9c-pc86
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Control UI locality spoofing could mint a durable admin device token
High
CVE-2026-53817
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
High
GHSA-rggc-m335-3wvj
was published
for
openclaw
(npm)
Jul 2, 2026
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header
High
GHSA-rjr7-jggh-pgcp
was published
for
github.com/go-chi/chi/middleware
(Go)
Jun 25, 2026
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers
High
CVE-2026-25119
was published
for
gogs.io/gogs
(Go)
Jun 22, 2026
OpenClaw: Discord allowFrom could bind to mutable display names
High
CVE-2026-53849
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Zalo allowFrom could bind to mutable display names
High
CVE-2026-53857
was published
for
openclaw
(npm)
Jun 18, 2026
Heimdall: IP Spoofing via Unvalidated Forwarding Headers
High
GHSA-38x9-25wx-7fg2
was published
for
https://github.com/dadrus/heimdall
(Go)
Jun 18, 2026
Duplicate Advisory: Zalo allowFrom could bind to mutable display names
High
GHSA-w7m7-3xcf-mp48
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Discord allowFrom could bind to mutable display names
High
GHSA-p44v-rx83-vjp4
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
High
CVE-2026-52845
was published
for
github.com/caddyserver/caddy
(Go)
Jun 16, 2026
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
High
CVE-2026-47737
was published
for
puma
(RubyGems)
Jun 9, 2026
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator
High
CVE-2026-45063
was published
for
symfony/security-http
(Composer)
May 27, 2026
Keycloak: Session fixation in OIDC login flow that can lead to account takeover
High
CVE-2026-7507
was published
for
org.keycloak:keycloak-services
(Maven)
May 19, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass
High
CVE-2026-24899
was published
for
github.com/fleetdm/fleet/v4
(Go)
May 14, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
High
CVE-2026-42602
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
(Go)
May 6, 2026
Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
GHSA-35vf-vw9f-q3cr
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
CVE-2026-44118
was published
for
openclaw
(npm)
May 4, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
High
CVE-2026-39858
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service
High
CVE-2026-39959
was published
for
Tmds.DBus
(NuGet)
Apr 8, 2026
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
High
CVE-2026-3902
was published
for
Django
(pip)
Apr 7, 2026
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
High
CVE-2026-33175
was published
for
oauthenticator
(pip)
Apr 3, 2026
ProTip!
Advisories are also available from the
GraphQL API