Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,583 advisories

Loading
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates Critical
CVE-2026-28697 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells Moderate
CVE-2026-28401 was published for nocodb (npm) Mar 3, 2026
p- Credited to p-
NocoDB Vulnerable to Stored Cross-site Scripting via Comments Moderate
CVE-2026-28397 was published for nocodb (npm) Mar 3, 2026
p- Credited to p-
NocoDB Vulnerable to SQL Injection via DATEADD Formula Moderate
CVE-2026-28399 was published for nocodb (npm) Mar 3, 2026
q1uf3ng Credited to q1uf3ng
NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells Moderate
CVE-2026-28398 was published for nocodb (npm) Mar 3, 2026
bugbunny-research Credited to bugbunny-research
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options Low
GHSA-4mgv-366x-qxvx was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS has IDOR via GraphQL @parseRefs High
CVE-2026-28696 was published for craftcms/cms (Composer) Mar 3, 2026
z3rco Credited to z3rco
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget Moderate
CVE-2026-28695 was published for craftcms/cms (Composer) Mar 3, 2026
andreisss Credited to andreisss
AWS-LC has PKCS7_verify Signature Validation Bypass High
GHSA-hfpc-8r3f-gw53 was published for aws-lc-sys (Rust) Mar 3, 2026
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification High
GHSA-65p9-r9h6-22vj was published for aws-lc-fips-sys (Rust) Mar 3, 2026
AWS-LC has PKCS7_verify Certificate Chain Validation Bypass High
GHSA-vw5v-4f2q-w9xf was published for aws-lc-sys (Rust) Mar 3, 2026
aws-kms-tls-auth vulnerable to memory overallocation Low
GHSA-5whh-4q9j-7v28 was published for aws-kms-tls-auth (Rust) Mar 3, 2026
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's pkgutil.resolve_name has a universal blocklist bypass Critical
GHSA-vvpj-8cmc-gx39 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-7wx9-6375-f5wh was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php Critical
CVE-2026-29058 was published for wwbn/avideo (Composer) Mar 3, 2026
arkmarta Credited to arkmarta
Ghost Vulnerable to Remote Code Execution via Malicious Themes High
CVE-2026-29053 was published for ghost (npm) Mar 3, 2026
cristianstaicu Credited to cristianstaicu
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia High
CVE-2026-32030 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw vulnerable to arbitrary file read via $include directive Moderate
CVE-2026-32061 was published for openclaw (npm) Mar 3, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
CVE-2026-28460 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's config env vars allowed startup env injection into service runtime High
CVE-2026-22177 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment Moderate
CVE-2026-32032 was published for openclaw (npm) Mar 3, 2026
athuljayaram Credited to athuljayaram
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode Moderate
GHSA-qhrr-grqp-6x2g was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress Moderate
GHSA-rm2p-j3r7-4x4j was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database