Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,998 advisories

Loading
Fleet's user account creation via invite does not enforce invited email address Moderate
CVE-2026-34389 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint Moderate
CVE-2026-34388 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin Moderate
CVE-2026-34386 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
prateek-0490 Credited to prateek-0490
Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database Moderate
CVE-2026-34385 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
prateek-0490 Credited to prateek-0490
Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2 Critical
GHSA-955r-262c-33jc was published for telnyx (pip) Mar 30, 2026
Zebra has a Consensus Failure due to Improper Verification of V5 Transactions High
CVE-2026-34377 was published for zebra-consensus (Rust) Mar 30, 2026
conradoplg Credited to conradoplg and alchemydc alchemydc alchemydc
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy Moderate
GHSA-39mp-545q-w789 was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface High
GHSA-xp9r-prpg-373r was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement Moderate
GHSA-vqvg-86cc-cg83 was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send High
GHSA-94pw-c6m8-p9p9 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability High
GHSA-m3mh-3mpg-37hw was published for openclaw (npm) Mar 30, 2026
ChangeYourWay Credited to ChangeYourWay
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope Moderate
GHSA-68f8-9mhj-h2mp was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) Moderate
GHSA-w6m8-cqvj-pg5v was published for openclaw (npm) Mar 30, 2026
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) High
GHSA-hr5v-j9h9-xjhg was published for openclaw (npm) Mar 30, 2026
YLChen-007 Credited to YLChen-007
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` Moderate
GHSA-3298-56p6-rpw2 was published for openclaw (npm) Mar 30, 2026
YLChen-007 Credited to YLChen-007
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page High
CVE-2026-34375 was published for wwbn/avideo (Composer) Mar 30, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
Sulu checks fix permissions for subentities endpoints Moderate
CVE-2026-34372 was published for sulu/sulu (Composer) Mar 30, 2026
sh4dowalker Credited to sh4dowalker
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification Moderate
CVE-2026-34369 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance Moderate
CVE-2026-34368 was published for wwbn/avideo (Composer) Mar 30, 2026
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php Moderate
CVE-2026-34364 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
LiveQuery protected field leak via shared mutable state across concurrent subscribers High
CVE-2026-34363 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() Moderate
CVE-2026-34362 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) Moderate
CVE-2026-34237 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Mar 30, 2026
srikanthramu Credited to srikanthramu
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database