Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
OpenClaw: `operator.write` chat.send could reach admin-only config writes Moderate
GHSA-hfpr-jhpq-x4rm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating Moderate
GHSA-r6qf-8968-wj9q was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects High
GHSA-6mgf-v5j7-45cr was published for openclaw (npm) Mar 9, 2026
Rickidevs Credited to Rickidevs
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping Moderate
GHSA-pjvx-rx66-r3fg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers Moderate
GHSA-3h2q-j2v4-6w5r was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots Moderate
GHSA-j425-whc4-4jgc was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey, SnailSploit, and zpbrent SnailSploit SnailSploit
zpbrent zpbrent
OpenClaw's hooks count non-POST requests toward auth lockout Moderate
GHSA-6rmx-gvvg-vh6j was published for openclaw (npm) Mar 9, 2026
JNX03 Credited to JNX03
OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage High
GHSA-rchv-x836-w7xp was published for openclaw (npm) Mar 9, 2026
whiter6666 Credited to whiter6666
Glances has SQL Injection via Process Names in TimescaleDB Export High
CVE-2026-30930 was published for Glances (pip) Mar 9, 2026
theamanrawat Credited to theamanrawat and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Glances Exposes Unauthenticated Configuration Secrets High
CVE-2026-30928 was published for glances (pip) Mar 9, 2026
theamanrawat Credited to theamanrawat and neo-ai-engineer neo-ai-engineer neo-ai-engineer
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) High
CVE-2026-30934 was published for github.com/gtsteffaniak/filebrowser (Go) Mar 9, 2026
lulaide Credited to lulaide
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter Moderate
CVE-2026-30927 was published for admidio/admidio (Composer) Mar 9, 2026
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled Moderate
CVE-2026-30854 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization Moderate
CVE-2026-30850 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory Moderate
CVE-2026-30848 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
Kubewarden: Cross-namespace data exfiltration via deprecated host callback binding Moderate
CVE-2026-29773 was published for github.com/kubewarden/kubewarden-controller (Go) Mar 9, 2026
thevilledev Credited to thevilledev
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Privilege Escalation from Admin to Super-Admin via User Update Moderate
CVE-2026-29195 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Insufficient Authorization in Host Token Verification High
CVE-2026-29194 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange High
CVE-2026-28513 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
dorakemon Credited to dorakemon
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion High
CVE-2026-28512 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
ByamB4 Credited to ByamB4
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database