Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

235 advisories

Loading
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims Moderate
CVE-2026-45069 was published for symfony/security-http (Composer) May 27, 2026
nimiq-primitives: BlockInclusionProof interlink issue when hops are empty Moderate
CVE-2026-46539 was published for nimiq-primitives (Rust) May 21, 2026
1seal Credited to 1seal
RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM Moderate
CVE-2026-45792 was published for rtk (Rust) May 20, 2026
afogel Credited to afogel
Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher... Moderate Unreviewed
CVE-2026-25602 was published May 20, 2026
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE Moderate
GHSA-wxw3-q3m9-c3jr was published for better-auth (npm) May 15, 2026
Jvr2022 Credited to Jvr2022 and alavesa alavesa alavesa
Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events Moderate
GHSA-m5j2-r859-r5cv was published for openclaw (npm) May 11, 2026 withdrawn
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications Moderate
CVE-2026-44308 was published for io.awspring.cloud:spring-cloud-aws-sns (Maven) May 7, 2026
MatejNedic Credited to MatejNedic
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-248h-974q-xrc2 was published for com.getaxonflow:axonflow-sdk (Maven) May 6, 2026
axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mph8-9v29-pm42 was published for @axonflow/sdk (npm) May 6, 2026
axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mhc4-qq83-fmrr was published for github.com/getaxonflow/axonflow-sdk-go/v5 (Go) May 6, 2026
axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-7f4h-6264-89fr was published for axonflow (pip) May 6, 2026
nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token Moderate
CVE-2026-41164 was published for github.com/nuts-foundation/nuts-node (Go) May 5, 2026
stevenvegt Credited to stevenvegt and reinkrul reinkrul reinkrul
A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function... Moderate Unreviewed
CVE-2026-7611 was published May 2, 2026
A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function... Moderate Unreviewed
CVE-2026-7606 was published May 2, 2026
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via... Moderate Unreviewed
CVE-2026-6498 was published Apr 30, 2026
OpenID Connect nonce generated but never validated — ID token replay attack Moderate
CVE-2026-42206 was published for roadiz/openid (Composer) Apr 29, 2026
athuljayaram Credited to athuljayaram
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the... Moderate Unreviewed
CVE-2026-6986 was published Apr 25, 2026
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input Moderate
CVE-2026-43534 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server Moderate
GHSA-p7mm-r948-4q3q was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
When calling base64.b64decode() or related functions the decoding process would stop after... Moderate Unreviewed
CVE-2026-3446 was published Apr 10, 2026
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header Moderate
CVE-2026-39411 was published for @lobehub/lobehub (npm) Apr 8, 2026
13ernkastel Credited to 13ernkastel
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php Moderate
CVE-2026-39366 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More... Moderate Unreviewed
CVE-2026-3177 was published Apr 7, 2026
Electron: Service worker can spoof executeJavaScript IPC replies Moderate
CVE-2026-34778 was published for electron (npm) Apr 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database