Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,049
Maven
5,000+
npm
4,787
NuGet
825
pip
4,384
Pub
12
RubyGems
988
Rust
1,144
Swift
50
Unreviewed advisories
All unreviewed
5,000+

3,018 advisories

Loading
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-7jx5-9fjg-hp4m was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Moderate
CVE-2025-64641 was published for github.com/mattermost/mattermost-server (Go) Dec 24, 2025
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Moderate
CVE-2025-13767 was published for github.com/mattermost/mattermost-server (Go) Dec 24, 2025
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and iansltx iansltx iansltx
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication... High Unreviewed
CVE-2026-2293 was published Feb 27, 2026
Public dashboards with annotations enabled did not limit their annotation timerange to the locked... Moderate Unreviewed
CVE-2026-21722 was published Feb 12, 2026
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can... Moderate Unreviewed
CVE-2026-22624 was published Jan 30, 2026
The dashboard permissions API does not verify the target dashboard scope and only checks the... High Unreviewed
CVE-2026-21721 was published Jan 27, 2026
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level High
CVE-2026-27899 was published for github.com/h44z/wg-portal (Go) Feb 26, 2026
gregtuc Credited to gregtuc
Fleet: Authorization Bypass in certificate template batch deletion for team administrators Moderate
CVE-2026-25963 was published for github.com/fleetdm/fleet/v4 (Go) Feb 26, 2026
Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections High
CVE-2026-23984 was published for apache-superset (pip) Feb 24, 2026
Apache Superset Improper Authorization allows low-privileged users to bypass access controls High
CVE-2026-23982 was published for apache-superset (pip) Feb 24, 2026
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee Credited to nikeee
A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to... Moderate Unreviewed
CVE-2026-1768 was published Feb 24, 2026
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha and krancour krancour krancour
Improper access checks in M-Files Server before 25.12 allows users to download files through M... Moderate Unreviewed
CVE-2025-14318 was published Dec 18, 2025
A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests... Moderate Unreviewed
CVE-2019-1192 was published May 24, 2022
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled Moderate
CVE-2026-26963 was published for github.com/cilium/cilium (Go) Feb 19, 2026
julianwiedmann Credited to julianwiedmann and smagnani96 smagnani96 smagnani96
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust High
CVE-2026-26316 was published for @openclaw/bluebubbles (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected... High Unreviewed
CVE-2026-26336 was published Feb 19, 2026
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed... High Unreviewed
CVE-2026-1999 was published Feb 18, 2026
opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path High
CVE-2026-26205 was published for github.com/open-policy-agent/opa-envoy-plugin (Go) Feb 18, 2026
thevilledev Credited to thevilledev
Gogs has a Protected Branch Deletion Bypass in Web Interface High
CVE-2026-25232 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor Credited to spingARbor
Mattermost Plugin Zoom allows any logged-in user to change Zoom meeting restrictions for arbitrary channels Moderate
CVE-2026-0997 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database