Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,652
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,857
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,634 advisories

Loading
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView Critical
CVE-2026-42601 was published for archivebox (pip) May 4, 2026
q1uf3ng Credited to q1uf3ng
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery Moderate
CVE-2026-42576 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
brianaydemir Credited to brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson jhiemstrawisc jhiemstrawisc
matyasselmeci matyasselmeci williamnswanson williamnswanson
phpVMS has an /importer authorization bypass causing full database wipe Critical
CVE-2026-42569 was published for nabeel/phpvms (Composer) May 4, 2026
peter-bosch Credited to peter-bosch
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field High
GHSA-q4ph-8x8g-95f8 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration Moderate
GHSA-qff7-q5fm-8p76 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption Moderate
GHSA-4fm3-ggg2-c6qx was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass High
CVE-2026-42606 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload High
CVE-2026-42605 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations Moderate
CVE-2026-42333 was published for io.quarkiverse.openapi.generator:quarkus-openapi-generator (Maven) May 4, 2026
Jvr2022 Credited to Jvr2022 and ricardozanini ricardozanini ricardozanini
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns Critical
CVE-2026-41901 was published for org.thymeleaf:thymeleaf (Maven) May 4, 2026
cristianstaicu Credited to cristianstaicu
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
GHSA-5h3g-6xhh-rg6p was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root High
GHSA-wppj-c6mr-83jj was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
changedetection.io project has an XXE vulnerability High
CVE-2026-41895 was published for changedetection.io (pip) May 4, 2026
FORIMOC Credited to FORIMOC
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) High
CVE-2026-41893 was published for signalk-server (npm) May 4, 2026
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess Moderate
CVE-2026-41890 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
Distribution's tag deletion bypasses `storage.delete.enabled` configuration Moderate
CVE-2026-41888 was published for github.com/distribution/distribution (Go) May 4, 2026
joonas Credited to joonas
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
GHSA-r6xh-pqhr-v4xh was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
GHSA-55cf-xx38-4p9p was published for openclaw (npm) May 4, 2026
qi-scape Credited to qi-scape
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
GHSA-q3jj-46pq-826r was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database