Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,049
Maven
5,000+
npm
4,787
NuGet
825
pip
4,384
Pub
12
RubyGems
988
Rust
1,144
Swift
50
Unreviewed advisories
All unreviewed
5,000+

801 advisories

Loading
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint High
CVE-2026-27609 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza
Caddy is vulnerable to cross-origin config application via local admin API /load Moderate
CVE-2026-27589 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
1seal Credited to 1seal
OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution Moderate
GHSA-7rcp-mxpq-72pj was published for openclaw (npm) Feb 18, 2026
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) Moderate
CVE-2026-25918 was published for @rage-against-the-pixel/unity-cli (npm) Feb 10, 2026
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation Moderate
CVE-2026-25151 was published for @builder.io/qwik-city (npm) Feb 3, 2026
KageShiron Credited to KageShiron
sigstore CSRF possibility in OIDC authentication during signing Low
CVE-2026-24408 was published for sigstore (pip) Jan 26, 2026
jku Credited to jku
alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass High
CVE-2026-23622 was published for alextselegidis/easyappointments (Composer) Jan 15, 2026
faroukn Credited to faroukn and Stolichnayer Stolichnayer Stolichnayer
Authlib has 1-click Account Takeover vulnerability Moderate
CVE-2025-68158 was published for authlib (pip) Jan 8, 2026
davidbors-snyk Credited to davidbors-snyk
React Router has CSRF issue in Action/Server Action Request Processing Moderate
CVE-2026-22030 was published for @remix-run/server-runtime (npm) Jan 8, 2026
Oceandust Credited to Oceandust
FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO Moderate
CVE-2025-68481 was published for fastapi-users (pip) Dec 19, 2025
davidbors-snyk Credited to davidbors-snyk
Mattermost has CSRF vulnerability via Calls Widget page Moderate
CVE-2025-62190 was published for github.com/mattermost/mattermost-plugin-calls (Go) Dec 17, 2025
1Panel contains a cross-site request forgery (CSRF) vulnerability in the panel name management functionality Moderate
CVE-2025-34430 was published for github.com/1Panel-dev/1Panel (Go) Dec 10, 2025
1Panel contains a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality High
CVE-2025-34429 was published for github.com/1Panel-dev/1Panel (Go) Dec 10, 2025
Jenkins has a CSRF vulnerability on the login form Low
CVE-2025-67639 was published for org.jenkins-ci.main:jenkins-core (Maven) Dec 10, 2025
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality High
CVE-2025-34410 was published for github.com/1Panel-dev/1Panel (Go) Dec 10, 2025
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack Critical
CVE-2025-62593 was published for ray (pip) Nov 26, 2025
JLLeitschuh Credited to JLLeitschuh and avilum avilum avilum
Drupal Currency allows Cross Site Request Forgery Moderate
CVE-2025-10930 was published for drupal/currency (Composer) Oct 30, 2025
Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check Moderate
CVE-2025-64149 was published for org.jenkins-ci.plugins:publish-to-bitbucket (Maven) Oct 29, 2025
Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery Moderate
CVE-2025-64141 was published for org.jenkins-ci.plugins:nexus-task-runner (Maven) Oct 29, 2025
Jenkins Extensible Choice Parameter Plugin vulnerable to cross-site request forgery Moderate
CVE-2025-64133 was published for jp.ikedam.jenkins.plugins:extensible-choice-parameter (Maven) Oct 29, 2025
Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery Moderate
CVE-2025-64138 was published for org.jenkins-ci.plugins:windocks-start-container (Maven) Oct 29, 2025
Jenkins Themis Plugin vulnerable to cross-site request forgery Moderate
CVE-2025-64136 was published for org.jenkins-ci.plugins:themis (Maven) Oct 29, 2025
Liferay Portal Vulnerable to CSRF in Headless APIs High
CVE-2025-62258 was published for com.liferay.portal:release.portal.bom (Maven) Oct 28, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database