Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,895 advisories

Loading
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch Low
GHSA-chm2-m3w2-wcxm was published for clawdbot (npm) Feb 17, 2026
vincentkoc Credited to vincentkoc
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers Low
GHSA-g27f-9qjv-22pm was published for openclaw (npm) Feb 17, 2026
pkerkhofs Credited to pkerkhofs
Apache Tomcat - Security constraint bypass with HTTP/0.9 Low
CVE-2026-24733 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions Low
CVE-2026-24764 was published for openclaw (npm) Feb 17, 2026
KonstantinMirin Credited to KonstantinMirin
Mattermost fails to enforce invite permissions when updating team settings Low
CVE-2025-14573 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
MindsDB affected by a SSRF vulnerability Low
CVE-2026-2531 was published for MindsDB (pip) Feb 16, 2026
Mattermost doesn't properly validate channel membership at the time of data retrieval Low
CVE-2026-20796 was published for github.com/mattermost/mattermost-server (Go) Feb 13, 2026
NeuVector scanner insecurely handles passwords as command arguments Low
CVE-2025-67860 was published for github.com/neuvector/scanner (Go) Feb 12, 2026
Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq` Low
GHSA-435g-fcv3-8j26 was published for libcrux-ecdh (Rust) Feb 12, 2026
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie Credited to SharokhAtaie and ljharb ljharb ljharb
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages Low
CVE-2026-26013 was published for langchain-core (pip) Feb 11, 2026
Finder16 Credited to Finder16
Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability Low
CVE-2026-23901 was published for org.apache.shiro:shiro-core (Maven) Feb 10, 2026
Bitcoinrb Vulnerable to Command injection via RPC Low
GHSA-q66h-m87m-j2q6 was published for bitcoinrb (RubyGems) Feb 10, 2026
Craft CMS Vulnerable to Stored XSS in Entry Types Name Low
CVE-2026-25491 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
xcode-mcp-server vulnerable to Command Injection Low
CVE-2026-2178 was published for xcode-mcp-server (npm) Feb 8, 2026
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal Credited to 1seal
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log Low
CVE-2026-1337 was published for org.neo4j:neo4j (Maven) Feb 6, 2026
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior Low
CVE-2025-68458 was published for webpack (npm) Feb 5, 2026
HanJeouk Credited to HanJeouk and alexander-akait alexander-akait alexander-akait
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence Low
CVE-2025-68157 was published for webpack (npm) Feb 5, 2026
HanJeouk Credited to HanJeouk and alexander-akait alexander-akait alexander-akait
Microweber has a Cross-site Scripting vulnerability Low
CVE-2025-70791 was published for microweber/microweber (Composer) Feb 5, 2026
Microweber Cross-site Scripting vulnerability Low
CVE-2025-70792 was published for microweber/microweber (Composer) Feb 5, 2026
Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager Low
CVE-2026-22254 was published for winter/wn-cms-module (Composer) Feb 4, 2026
iamunixtz Credited to iamunixtz
git2 has potential undefined behavior when dereferencing Buf struct Low
GHSA-j39j-6gw9-jw6h was published for git2 (Rust) Feb 4, 2026
ingress-nginx has Improper Check for Unusual or Exceptional Conditions Low
CVE-2026-24513 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database