Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,615 advisories

Loading
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading High
CVE-2026-28393 was published for openclaw (npm) Mar 3, 2026
akhmittra Credited to akhmittra
OpenClaw has command injection via Windows shell fallback in Lobster tool execution High
CVE-2026-32000 was published for openclaw (npm) Mar 3, 2026
allsmog Credited to allsmog
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection High
GHSA-qj22-xqjr-v83v was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has allowlist exec-guard bypass via env -S Moderate
CVE-2026-31992 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface Moderate
CVE-2026-28223 was published for wagtail (pip) Mar 3, 2026
GCXWLP Credited to GCXWLP, RealOrangeOne, and gasman RealOrangeOne RealOrangeOne
gasman gasman
Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes Moderate
CVE-2026-28222 was published for wagtail (pip) Mar 3, 2026
GCXWLP Credited to GCXWLP, RealOrangeOne, and gasman RealOrangeOne RealOrangeOne
gasman gasman
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction High
CVE-2026-27905 was published for bentoml (pip) Mar 3, 2026
q1uf3ng Credited to q1uf3ng
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack High
CVE-2026-27601 was published for underscore (npm) Mar 3, 2026
ByamB4 Credited to ByamB4 and jgonggrijp jgonggrijp jgonggrijp
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php Critical
CVE-2026-27012 was published for devcode-it/openstamanager (Composer) Mar 3, 2026
RunProgram Credited to RunProgram
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection Critical
CVE-2026-26279 was published for froxlor/froxlor (Composer) Mar 3, 2026
Moonster8282 Credited to Moonster8282
OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter Moderate
CVE-2026-24415 was published for devcode-it/openstamanager (Composer) Mar 3, 2026
lukasz-rybak Credited to lukasz-rybak
Rancher Backup Operator pod's logs leak S3 tokens Moderate
CVE-2025-62879 was published for github.com/rancher/backup-restore-operator (Go) Mar 3, 2026
OpenViking contains a Path Traversal vulnerability High
CVE-2026-28518 was published for openviking (pip) Mar 3, 2026
Django vulnerable to Uncontrolled Resource Consumption High
CVE-2026-25673 was published for Django (pip) Mar 3, 2026
Django has a Race Condition vulnerability Low
CVE-2026-25674 was published for Django (pip) Mar 3, 2026
Rancher cloud credentials can be used through proxy API by users without access Critical
CVE-2021-25320 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user High
GHSA-hwm2-4ph6-w6m5 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's weave CNI password is not configured when a cluster is created from an RKE template Moderate
CVE-2022-21951 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher doesn't properly sanitize credentials in cluster template answers Critical
CVE-2021-36783 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's Azure AD permission changes are not reflected on active sessions High
CVE-2023-22648 was published for github.com/rancher/rancher (Go) Mar 3, 2026
yvespp Credited to yvespp
Apache Ranger has a Code Injection vulnerability Critical
CVE-2025-59059 was published for org.apache.ranger:ranger-plugins-common (Maven) Mar 3, 2026
Apache Ranger Vulnerable to Improper Validation of Certificate with Host Mismatch Moderate
CVE-2025-59060 was published for org.apache.ranger:ranger-nifi-registry-plugin (Maven) Mar 3, 2026
@tootallnate/once vulnerable to Incorrect Control Flow Scoping Low
CVE-2026-3449 was published for @tootallnate/once (npm) Mar 3, 2026
mailparser vulnerable to Cross-site Scripting Low
CVE-2026-3455 was published for mailparser (npm) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database