Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,188 advisories

Loading
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control Moderate
GHSA-pq96-pwvg-vrr9 was published for github.com/fatedier/frp (Go) Apr 14, 2026
0wnerDied Credited to 0wnerDied
Oxia has an OIDC token audience validation bypass via SkipClientIDCheck Critical
GHSA-fhvp-9hcj-6m33 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Improper authentication in Windows Active Directory allows an unauthorized attacker to perform... Moderate Unreviewed
CVE-2026-32072 was published Apr 14, 2026
A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR... High Unreviewed
CVE-2026-23708 was published Apr 14, 2026
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables High
CVE-2026-5795 was published for org.eclipse.jetty.ee10:jetty-ee10-jaspi (Maven) Apr 14, 2026
HRsGIT Credited to HRsGIT
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads High
GHSA-9c4q-hq6p-c237 was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an... Moderate Unreviewed
CVE-2026-6129 was published Apr 12, 2026
A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element... Moderate Unreviewed
CVE-2026-6126 was published Apr 12, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
GHSA-68qg-g8mg-6pr7 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Low
CVE-2026-40109 was published for github.com/fluxcd/notification-controller (Go) Apr 10, 2026
saroj345 Credited to saroj345
ajenti.plugin.core has race conditions in 2FA Moderate
CVE-2026-40178 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
ajenti.plugin.core has password bypass when 2FA is activated Critical
CVE-2026-40177 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path High
CVE-2026-34727 was published for code.vikunja.io/api (Go) Apr 10, 2026
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass... Moderate Unreviewed
CVE-2026-4664 was published Apr 10, 2026
Apache Tomcat: CLIENT_CERT authentication does not fail as expected Moderate
CVE-2026-34500 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Apache Tomcat: CLIENT_CERT authentication does not fail as expected Critical
CVE-2026-29145 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
A security flaw has been discovered in GL.iNet GL-RM1, GL-RM10, GL-RM10RC and GL-RM1PE 1.8.1.... High Unreviewed
CVE-2026-5959 was published Apr 9, 2026
Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens High
CVE-2026-39976 was published for laravel/passport (Composer) Apr 8, 2026
pushpak1300 Credited to pushpak1300 and hafezdivandari hafezdivandari hafezdivandari
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header Moderate
CVE-2026-39411 was published for @lobehub/lobehub (npm) Apr 8, 2026
13ernkastel Credited to 13ernkastel
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization Critical
CVE-2026-39324 was published for rack-session (RubyGems) Apr 8, 2026
sm1ee Credited to sm1ee, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets Low
GHSA-fqrj-m88p-qf3v was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the... Moderate Unreviewed
CVE-2026-5676 was published Apr 6, 2026
A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown... Moderate Unreviewed
CVE-2026-5632 was published Apr 6, 2026
A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an... Moderate Unreviewed
CVE-2026-5616 was published Apr 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database