GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
377 advisories
Filter by severity
A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive...
Low
Unreviewed
CVE-2026-14609
was published
Jul 3, 2026
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
High
GHSA-5qfp-32cf-69jh
was published
for
surrealdb
(Rust)
Jul 1, 2026
Session fixation vulnerability in Wikimedia Foundation OAuth.
This vulnerability is associated...
Low
Unreviewed
CVE-2026-13707
was published
Jul 1, 2026
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query...
Moderate
Unreviewed
CVE-2026-56224
was published
Jul 1, 2026
KTM System e-BOK allows the session identifier to be set by the client prior to authentication....
Moderate
Unreviewed
CVE-2026-35095
was published
Jun 30, 2026
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in...
Critical
Unreviewed
CVE-2026-56425
was published
Jun 22, 2026
EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated...
High
Unreviewed
CVE-2026-12581
was published
Jun 22, 2026
Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session...
Critical
Unreviewed
CVE-2009-10007
was published
Jun 9, 2026
A WebFlux application with a compromised subdomain (for example, compromised via cross-site...
Moderate
Unreviewed
CVE-2026-41839
was published
Jun 9, 2026
A flaw has been found in tittuvarghese CollegeManagementSystem...
Low
Unreviewed
CVE-2026-11335
was published
Jun 5, 2026
Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03...
Critical
Unreviewed
CVE-2025-67446
was published
Jun 4, 2026
QuickCMS allows a user's session identifier to be set before authentication. The value of this...
Moderate
Unreviewed
CVE-2026-33384
was published
May 29, 2026
Gradio contains a cookie injection vulnerability
High
CVE-2026-48545
was published
for
gradio
(pip)
May 27, 2026
Apache Shiro has a session fixation vulnerability
Moderate
CVE-2026-43827
was published
for
org.apache.shiro:shiro-core
(Maven)
May 26, 2026
Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue...
High
Unreviewed
CVE-2026-30808
was published
May 12, 2026
docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the...
Moderate
Unreviewed
CVE-2025-65415
was published
May 11, 2026
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
High
CVE-2026-44553
was published
for
open-webui
(pip)
May 8, 2026
Apache Wicket has a Session Fixation issue
Critical
CVE-2026-40010
was published
for
org.apache.wicket:wicket-auth-roles
(Maven)
May 6, 2026
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release...
Moderate
Unreviewed
CVE-2025-46605
was published
Apr 17, 2026
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page
Low
CVE-2026-34454
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Apr 14, 2026
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
High
CVE-2026-33946
was published
for
mcp
(RubyGems)
Mar 27, 2026
Bludit allows user's session identifier to be set before authentication. The value of this...
Moderate
Unreviewed
CVE-2026-25101
was published
Mar 27, 2026
OpenBao lacks user confirmation for OIDC direct callback mode
Critical
CVE-2026-33757
was published
for
github.com/openbao/openbao
(Go)
Mar 26, 2026
HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's...
Moderate
Unreviewed
CVE-2025-55266
was published
Mar 26, 2026
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
High
CVE-2026-33492
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
ProTip!
Advisories are also available from the
GraphQL API