Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,623
Maven
5,000+
npm
5,000+
NuGet
927
pip
4,843
Pub
13
RubyGems
1,045
Rust
1,271
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,523 advisories

Loading
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql` High
CVE-2026-42031 was published for ckan (pip) Apr 29, 2026
ddd Credited to ddd
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool Moderate
CVE-2026-41686 was published for @anthropic-ai/sdk (npm) Apr 29, 2026
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters High
CVE-2026-42353 was published for i18next-http-middleware (npm) Apr 29, 2026
netfoil's optional seccomp sandboxing was not applied Moderate
GHSA-vjgj-42f6-7997 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Netfoil has incorrect allowlist enforcement Moderate
GHSA-84g5-x8j3-7235 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber High
CVE-2026-42352 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider High
CVE-2026-42351 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer High
CVE-2026-41680 was published for marked (npm) Apr 29, 2026
MaanVader Credited to MaanVader
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation Moderate
CVE-2026-41671 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest High
CVE-2026-41670 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests High
CVE-2026-41669 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send Low
CVE-2026-41663 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Missing Minimum Administrator Check in Role Membership Removal Moderate
CVE-2026-41662 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion Moderate
CVE-2026-41661 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP High
CVE-2026-41660 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment Low
CVE-2026-41659 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items Moderate
CVE-2026-41658 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php Moderate
CVE-2026-41657 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read Moderate
CVE-2026-41656 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials Moderate
CVE-2026-41655 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
GHSA-c28g-vh7m-fm7v was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
n8n has XML Node Prototype Pollution that to RCE Critical
CVE-2026-42232 was published for n8n (npm) Apr 29, 2026
simonkoeck Credited to simonkoeck
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE Critical
CVE-2026-42231 was published for n8n (npm) Apr 29, 2026
a-tallat Credited to a-tallat
n8n Vulnerable to XSS via MCP OAuth client High
CVE-2026-42235 was published for n8n (npm) Apr 29, 2026
OscarBataille Credited to OscarBataille
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database