Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,233
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,505
Pub
12
RubyGems
996
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

321,346 advisories

Loading
Cross-Site Tool Execution for HTTP Servers without Authorizatrion in github.com/modelcontextprotocol/go-sdk High
CVE-2026-33252 was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
aleister1102 Credited to aleister1102
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack High
CVE-2026-32935 was published for phpseclib/phpseclib (Composer) Mar 19, 2026
pdfmake is vulnerable to server-side request forgery (SSRF) High
CVE-2026-26801 was published for pdfmake (npm) Mar 10, 2026
mariopepe Credited to mariopepe
qui CORS Misconfiguration: Arbitrary Origins Trusted Critical
CVE-2026-30924 was published for github.com/autobrr/qui (Go) Mar 19, 2026
ppfeister Credited to ppfeister and s0up4200 s0up4200 s0up4200
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) Critical
CVE-2026-30836 was published for github.com/smallstep/certificates (Go) Mar 19, 2026
PrasanthSundararajan69 Credited to PrasanthSundararajan69
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor High
CVE-2026-27953 was published for ormar (pip) Mar 19, 2026
Mistz1 Credited to Mistz1
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Moderate
GHSA-5rp4-cwgh-gvwq was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace Moderate
GHSA-2cwr-f5hx-gg3w was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
GHSA-g87j-gm7p-6vw2 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution High
GHSA-pfv5-rpcw-x34x was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
GHSA-xrgv-34cc-q765 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind Moderate
GHSA-q86m-697p-h7fh was published for openclaw (npm) Mar 19, 2026 withdrawn
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions High
CVE-2026-1615 was published for jsonpath (npm) Feb 9, 2026
saivarun3407 Credited to saivarun3407, Alina-Podoba, and skoilakonda Alina-Podoba Alina-Podoba
skoilakonda skoilakonda
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
Amalie-Wowern Credited to Amalie-Wowern
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation... High Unreviewed
CVE-2025-58112 was published Mar 18, 2026
A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion ... High Unreviewed
CVE-2026-29858 was published Mar 18, 2026
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary... Critical Unreviewed
CVE-2026-29859 was published Mar 18, 2026
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface... Critical Unreviewed
CVE-2026-30704 was published Mar 18, 2026
An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows... High Unreviewed
CVE-2026-29856 was published Mar 18, 2026
MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality ... Moderate Unreviewed
CVE-2025-55043 was published Mar 18, 2026
The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate... High Unreviewed
CVE-2025-55045 was published Mar 18, 2026
MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user... High Unreviewed
CVE-2025-55041 was published Mar 18, 2026
Mura before 10.1.14 allows beanFeed.cfc getQuery sortDirection SQL injection. Critical Unreviewed
CVE-2025-67829 was published Mar 18, 2026
MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently... High Unreviewed
CVE-2025-55046 was published Mar 18, 2026
Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection. Critical Unreviewed
CVE-2025-67830 was published Mar 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database