Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,475 advisories

Loading
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
CVE-2026-33319 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing High
CVE-2026-33241 was published for salvo (Rust) Mar 19, 2026
yshing Credited to yshing
Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass High
CVE-2026-33242 was published for salvo (Rust) Mar 19, 2026
tomasilluminati Credited to tomasilluminati
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk High
GHSA-q382-vc8q-7jhj was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
anaximand3r Credited to anaximand3r
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration Moderate
CVE-2026-33238 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Juju affected by timing ownership claim attack on new external back-end secrets Moderate
CVE-2026-32691 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite High
CVE-2026-33236 was published for nltk (pip) Mar 19, 2026
Unauthenticated remote shutdown in nltk.app.wordnet_app High
CVE-2026-33231 was published for nltk (pip) Mar 19, 2026
leduckhuong Credited to leduckhuong
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File High
CVE-2026-33068 was published for @anthropic-ai/claude-code (npm) Mar 19, 2026
Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution High
GHSA-pfv5-rpcw-x34x was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
GHSA-xrgv-34cc-q765 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
GHSA-g87j-gm7p-6vw2 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind Moderate
GHSA-q86m-697p-h7fh was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace Moderate
GHSA-2cwr-f5hx-gg3w was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Moderate
GHSA-5rp4-cwgh-gvwq was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Moderate
GHSA-5326-6f73-m96w was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing Moderate
GHSA-866c-wwm5-4rj7 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling Moderate
GHSA-5gqg-mqh5-2v39 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path Moderate
GHSA-8px5-2gfr-7ph6 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-ggm6-h3mx-cmmp was published for openclaw (npm) Mar 19, 2026 withdrawn
Arbitrary file write via tar traversal in mlflow High
CVE-2025-15031 was published for mlflow (pip) Mar 19, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk Moderate
CVE-2026-33230 was published for nltk (pip) Mar 18, 2026
leduckhuong Credited to leduckhuong
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview High
CVE-2026-33226 was published for budibase (npm) Mar 18, 2026
da7om85 Credited to da7om85
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database