Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,854 advisories

Loading
Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2 Critical
GHSA-955r-262c-33jc was published for telnyx (pip) Mar 30, 2026
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover Critical
CVE-2026-33032 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
yotampe-pluto Credited to yotampe-pluto
nginx-ui Backup Restore Allows Tampering with Encrypted Backups Critical
CVE-2026-33026 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
MikroORM is vulnerable to SQL Injection via specially crafted object Critical
CVE-2026-34220 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body` Critical
CVE-2026-34243 was published for njzjz/wenxian (GitHub Actions) Mar 29, 2026
choseogyeong Credited to choseogyeong
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
veria-labs Credited to veria-labs
mppx has multiple payment bypass and griefing vulnerabilities Critical
GHSA-8x4m-qw58-3pcx was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect Critical
GHSA-fqw4-mph7-2vr8 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin Critical
GHSA-9hjh-fr4f-gxc4 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
Zebra node crash — V5 transaction hash panic (P2P reachable) Critical
CVE-2026-34202 was published for zebra-chain (Rust) Mar 27, 2026
robustfengbin Credited to robustfengbin, arya2, conradoplg, upbqdn, and alchemydc arya2 arya2
conradoplg conradoplg upbqdn upbqdn alchemydc alchemydc
Handlebars.js has JavaScript Injection via AST Type Confusion Critical
CVE-2026-33937 was published for handlebars (npm) Mar 27, 2026
RealHurrison Credited to RealHurrison
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration Critical
CVE-2026-33992 was published for pyload-ng (pip) Mar 27, 2026
DhiyaneshGeek Credited to DhiyaneshGeek
Incus has an abitrary file write through its systemd-creds options Critical
CVE-2026-33945 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stgraber Credited to stgraber, grmpyninja, and stamparm grmpyninja grmpyninja
stamparm stamparm
Incus vulnerable to arbitrary file read and write through pongo templates Critical
CVE-2026-33897 was published for github.com/lxc/incus (Go) Mar 27, 2026
grmpyninja Credited to grmpyninja and stgraber stgraber stgraber
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve Critical
GHSA-hf68-49fm-59cq was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Convict has Prototype Pollution via startsWith() function Critical
CVE-2026-33864 was published for convict (npm) Mar 26, 2026
kevgeoleo Credited to kevgeoleo, vdata1, reallyTG, fkiriakos07, toufali, and clouserw vdata1 vdata1
reallyTG reallyTG fkiriakos07 fkiriakos07 toufali toufali clouserw clouserw
Convict has prototype pollution via load(), loadFile(), and schema initialization Critical
CVE-2026-33863 was published for convict (npm) Mar 26, 2026
toufali Credited to toufali and clouserw clouserw clouserw
OpenBao has Reflected XSS in its OIDC authentication error message Critical
CVE-2026-33758 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
OpenBao lacks user confirmation for OIDC direct callback mode Critical
CVE-2026-33757 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
Langflow has Authenticated Code Execution in Agentic Assistant Validation Critical
CVE-2026-33873 was published for langflow (pip) Mar 26, 2026
kexinoh Credited to kexinoh and andifilhohub andifilhohub andifilhohub
AVideo has Plaintext Video Password Storage Critical
CVE-2026-33867 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution Critical
GHSA-h8w2-rv57-vc6f was published for com.splunk:splunk-otel-javaagent (Maven) Mar 26, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database