Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

345 advisories

Loading
NocoDB: Shared-base link access can invite arbitrary users as persistent base members Moderate
CVE-2026-46552 was published for nocodb (npm) May 21, 2026
0xmrma Credited to 0xmrma
SpiceDB: Caveat structures with nested lists can result in improper cache reuse Low
CVE-2026-46668 was published for github.com/authzed/spicedb (Go) May 21, 2026
shopper/framework: Authorization bypass in multiple Livewire admin components High
GHSA-f946-9qp6-vgch was published for shopper/framework (Composer) May 18, 2026
baradika Credited to baradika
eduMFA: Incorrect InnoDB snapshot isolation possibly allows token reusage High
GHSA-qq2p-4282-cfc5 was published for edumfa (pip) May 18, 2026
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024` Moderate
CVE-2026-45620 was published for WWBN/AVideo (Composer) May 18, 2026
SnailSploit Credited to SnailSploit
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED] Moderate
CVE-2026-45365 was published for open-webui (pip) May 14, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
Open WebUI missing authorization check at the model update function - models from other users can be updated Moderate
CVE-2026-45345 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk Moderate
CVE-2026-45147 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
Apache Tomcat - Security constraints not correctly applied Critical
CVE-2026-43515 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
ExternalSecrets vulnerable to privilege escalation with secret overwriting Moderate
CVE-2026-42876 was published for github.com/external-secrets/external-secrets/apis (Go) May 8, 2026
factory-nizar Credited to factory-nizar and factory-kirk factory-kirk factory-kirk
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) High
CVE-2026-44504 was published for aegra-api (pip) May 7, 2026
victorjmarin Credited to victorjmarin
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore Moderate
CVE-2026-42875 was published for github.com/external-secrets/external-secrets (Go) May 5, 2026
moolen Credited to moolen
OpenClaw: Agent gateway config mutations could change protected operator settings Moderate
GHSA-7jm2-g593-4qrc was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books Moderate
CVE-2026-41572 was published for github.com/enchant97/note-mark/backend (Go) Apr 25, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields Moderate
CVE-2026-42202 was published for almirhodzic/nova-toggle-5 (Composer) Apr 24, 2026
RobertoNegro Credited to RobertoNegro
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions High
CVE-2026-40248 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions High
CVE-2026-40246 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
DNN: Force Friend Request Acceptance Moderate
CVE-2026-40305 was published for DotNetNuke.Core (NuGet) Apr 10, 2026
JesseClarkTT Credited to JesseClarkTT, bdukes, and valadas bdukes bdukes
valadas valadas
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export High
GHSA-4h9q-p5j4-xvvh was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` High
CVE-2026-40259 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database