Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,615 advisories

Loading
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection Moderate
GHSA-vjx8-8p7h-82gr was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk Moderate
GHSA-4g5x-2jfc-xm98 was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels Moderate
GHSA-h2v7-xc88-xx8c was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision Moderate
CVE-2026-34972 was published for github.com/openfga/openfga (Go) Apr 7, 2026
bugbunny-research Credited to bugbunny-research
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution High
CVE-2026-34148 was published for @fedify/fedify (npm) Apr 7, 2026
wrathsec Credited to wrathsec
Electron: Crash in clipboard.readImage() on malformed clipboard image data Low
CVE-2026-34781 was published for electron (npm) Apr 7, 2026
frostb1ten Credited to frostb1ten
Electron: Named window.open targets not scoped to the opener's browsing context Moderate
CVE-2026-34765 was published for electron (npm) Apr 7, 2026
HO-9 Credited to HO-9 and HanJeouk HanJeouk HanJeouk
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr High
CVE-2026-34444 was published for lupa (pip) Apr 7, 2026
redyank Credited to redyank
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM Critical
CVE-2026-33439 was published for org.openidentityplatform.openam:openam (Maven) Apr 7, 2026
iamnoooob Credited to iamnoooob and hacktronai-research hacktronai-research hacktronai-research
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation High
CVE-2026-3902 was published for Django (pip) Apr 7, 2026
Django vulnerable to privilege abuse in GenericInlineModelAdmin Low
CVE-2026-4277 was published for Django (pip) Apr 7, 2026
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation High
CVE-2026-4740 was published for open-cluster-management.io/ocm (Go) Apr 7, 2026
Django vulnerable to privilege abuse in ModelAdmin.list_editable Low
CVE-2026-4292 was published for Django (pip) Apr 7, 2026
Django has potential DoS via MultiPartParser through crafted multipart uploads Moderate
CVE-2026-33033 was published for Django (pip) Apr 7, 2026
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit High
CVE-2026-33034 was published for Django (pip) Apr 7, 2026
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint Moderate
CVE-2026-33866 was published for mlflow (pip) Apr 7, 2026
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface Moderate
CVE-2026-33865 was published for mlflow (pip) Apr 7, 2026
Apache ActiveMQ: Improper validation and restriction of a classpath path name Moderate
CVE-2026-33227 was published for org.apache.activemq:activemq-all (Maven) Apr 7, 2026
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class Moderate
CVE-2026-1839 was published for transformers (pip) Apr 7, 2026
PraisonAI Has Path Traversal in FileTools Critical
CVE-2026-35615 was published for PraisonAI (pip) Apr 6, 2026
kritsana-chaikaew Credited to kritsana-chaikaew
PraisonAI recipe registry publish path traversal allows out-of-root file write High
CVE-2026-39308 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory High
CVE-2026-39306 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator Critical
CVE-2026-39305 was published for PraisonAI (pip) Apr 6, 2026
liyander Credited to liyander
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction High
CVE-2026-39307 was published for PraisonAI (pip) Apr 6, 2026
liyander Credited to liyander
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers Moderate
CVE-2026-35480 was published for github.com/ipld/go-ipld-prime (Go) Apr 6, 2026
yuliyu123 Credited to yuliyu123
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database