Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,250 advisories

Loading
Parse Server's GraphQL WebSocket endpoint bypasses security middleware Moderate
CVE-2026-32594 was published for parse-server (npm) Mar 13, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145 High
CVE-2026-32314 was published for yamux (Rust) Mar 13, 2026
xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption High
CVE-2026-32313 was published for robrichards/xmlseclibs (Composer) Mar 13, 2026
Sideni Credited to Sideni
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL Critical
CVE-2026-32301 was published for github.com/centrifugal/centrifugo/v6 (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware High
GHSA-cwxj-rr6w-m6w7 was published for Scrapy (pip) Mar 13, 2026
Tomer-PL Credited to Tomer-PL
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint Moderate
CVE-2026-32269 was published for parse-server (npm) Mar 13, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-32260 was published for deno (Rust) Mar 13, 2026
rtvkiz Credited to rtvkiz
rs-soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction Moderate
CVE-2026-32322 was published for soroban-sdk (Rust) Mar 13, 2026
leighmcculloch Credited to leighmcculloch
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") High
CVE-2026-32308 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters Critical
CVE-2026-32306 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification High
CVE-2026-31899 was published for CairoSVG (pip) Mar 13, 2026
SnailSploit Credited to SnailSploit
Yamux vulnerable to remote Panic via malformed WindowUpdate credit High
CVE-2026-31814 was published for yamux (Rust) Mar 13, 2026
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload Moderate
CVE-2026-30961 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Gokapi vulnerable to DoS in E2E Metadata Parser Moderate
CVE-2026-30955 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, Forceu, and aisafe-bot Forceu Forceu
aisafe-bot aisafe-bot
Gokapi vulnerable to Privilege Escalation in File Replace Moderate
CVE-2026-30943 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes Moderate
CVE-2026-30915 was published for github.com/drakkan/sftpgo/v2 (Go) Mar 13, 2026
SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy Moderate
CVE-2026-30914 was published for github.com/drakkan/sftpgo (Go) Mar 13, 2026
mcantrell Credited to mcantrell
Locutus vulnerable to RCE via unsanitized input in create_function() Critical
CVE-2026-32304 was published for locutus (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
SM9 Infinity-Point Ciphertext Forgery Vulnerability Critical
CVE-2026-32614 was published for github.com/emmansun/gmsm (Go) Mar 13, 2026
Cameudis Credited to Cameudis and sunyxedu sunyxedu sunyxedu
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-qvr7-g57c-mrc7 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent` Moderate
GHSA-jf6w-m8jw-jfxc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity High
GHSA-qc36-x95h-7j53 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions Moderate
GHSA-8jhh-jcqg-mj5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database