GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
174 advisories
NocoDB: Shared-base link access can invite arbitrary users as persistent base members
Moderate
CVE-2026-46552
was published
for
nocodb
(npm)
May 21, 2026
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
Moderate
CVE-2026-45620
was published
for
WWBN/AVideo
(Composer)
May 18, 2026
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]
Moderate
CVE-2026-45365
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI missing authorization check at the model update function - models from other users can be updated
Moderate
CVE-2026-45345
was published
for
open-webui
(pip)
May 14, 2026
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
Moderate
CVE-2026-45147
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 13, 2026
ExternalSecrets vulnerable to privilege escalation with secret overwriting
Moderate
CVE-2026-42876
was published
for
github.com/external-secrets/external-secrets/apis
(Go)
May 8, 2026
External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
Moderate
CVE-2026-42875
was published
for
github.com/external-secrets/external-secrets
(Go)
May 5, 2026
OpenClaw: Agent gateway config mutations could change protected operator settings
Moderate
GHSA-7jm2-g593-4qrc
was published
for
openclaw
(npm)
Apr 25, 2026
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
Moderate
CVE-2026-41572
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 25, 2026
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Moderate
CVE-2026-42202
was published
for
almirhodzic/nova-toggle-5
(Composer)
Apr 24, 2026
DNN: Force Friend Request Acceptance
Moderate
CVE-2026-40305
was published
for
DotNetNuke.Core
(NuGet)
Apr 10, 2026
monetr: Protected Transactions Deletable via PUT
Moderate
CVE-2026-39901
was published
for
github.com/monetr/monetr
(Go)
Apr 8, 2026
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Moderate
CVE-2026-39389
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
Moderate
CVE-2026-40071
was published
for
pyload-ng
(pip)
Apr 8, 2026
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
Moderate
CVE-2026-41375
was published
for
openclaw
(npm)
Apr 7, 2026
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
Moderate
CVE-2026-34738
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
baserCMS has Mail Form Acceptance Bypass via Public API
Moderate
CVE-2026-30878
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
Moderate
CVE-2026-35620
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Moderate
CVE-2026-35661
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Moderate
CVE-2026-35635
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions
Moderate
CVE-2026-35662
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
Moderate
CVE-2026-35652
was published
for
openclaw
(npm)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API