GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,284 advisories
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
High
CVE-2026-33030
was published
for
github.com/0xJacky/nginx-ui
(Go)
Mar 30, 2026
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Moderate
GHSA-52q4-3xjc-6778
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
High
GHSA-q2qc-744p-66r2
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Moderate
GHSA-5jvj-hxmh-6h6j
was published
for
openclaw
(npm)
Mar 29, 2026
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
High
CVE-2026-34046
was published
for
langflow
(pip)
Mar 27, 2026
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
High
CVE-2026-33946
was published
for
mcp
(RubyGems)
Mar 27, 2026
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Low
CVE-2026-29071
was published
for
open-webui
(pip)
Mar 27, 2026
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
High
CVE-2026-28788
was published
for
open-webui
(pip)
Mar 27, 2026
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
Moderate
GHSA-xhq5-45pm-2gjr
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
High
GHSA-wv46-v6xc-2qhf
was published
for
openclaw
(npm)
Mar 26, 2026
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
Moderate
CVE-2026-33764
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Moderate
CVE-2026-33759
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR
Critical
GHSA-2pv8-4c52-mf8j
was published
for
code.vikunja.io/api
(Go)
Mar 26, 2026
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Moderate
CVE-2026-33724
was published
for
n8n
(npm)
Mar 25, 2026
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
High
CVE-2026-33678
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API