Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

970 advisories

Loading
A security flaw has been discovered in kodcloud KodExplorer up to 4.52. Affected is the function... Moderate Unreviewed
CVE-2026-6570 was published Apr 19, 2026
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions High
CVE-2026-40248 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions High
CVE-2026-40246 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-27912 was published Apr 14, 2026
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0... Moderate Unreviewed
CVE-2026-38533 was published Apr 14, 2026
DNN: Force Friend Request Acceptance Moderate
CVE-2026-40305 was published for DotNetNuke.Core (NuGet) Apr 10, 2026
JesseClarkTT Credited to JesseClarkTT, bdukes, and valadas bdukes bdukes
valadas valadas
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export High
GHSA-4h9q-p5j4-xvvh was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` High
CVE-2026-40259 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
decolua 9router vulnerable to authorization bypass Moderate
CVE-2026-5842 was published for 9router (npm) Apr 9, 2026
monetr: Protected Transactions Deletable via PUT Moderate
CVE-2026-39901 was published for github.com/monetr/monetr (Go) Apr 8, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, th3fallen, and elliotcourant Across-Verticals-Malaysia Across-Verticals-Malaysia
th3fallen th3fallen elliotcourant elliotcourant
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files Moderate
CVE-2026-39389 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions Moderate
CVE-2026-40071 was published for pyload-ng (pip) Apr 8, 2026
komi22 Credited to komi22
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels Moderate
CVE-2026-41375 was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains... High Unreviewed
CVE-2017-20238 was published Apr 4, 2026
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity Critical
CVE-2026-33950 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch` High
GHSA-v3qc-wrwx-j3pw was published for openclaw (npm) Apr 3, 2026
YLChen-007 Credited to YLChen-007
Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges... Critical Unreviewed
CVE-2026-32213 was published Apr 3, 2026
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to... Critical Unreviewed
CVE-2026-33105 was published Apr 3, 2026
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function... Moderate Unreviewed
CVE-2026-5246 was published Apr 2, 2026
A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an... Moderate Unreviewed
CVE-2026-5326 was published Apr 2, 2026
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter Moderate
CVE-2026-34738 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database