Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

62 advisories

Loading
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
OpenClaw: Matrix allowFrom could bind to mutable display names High
CVE-2026-53811 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Slack allowFrom could bind to mutable display names High
GHSA-c29c-2q9c-pc86 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Control UI locality spoofing could mint a durable admin device token High
CVE-2026-53817 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers High
GHSA-rggc-m335-3wvj was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header High
GHSA-rjr7-jggh-pgcp was published for github.com/go-chi/chi/middleware (Go) Jun 25, 2026
rezmoss Credited to rezmoss
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers High
CVE-2026-25119 was published for gogs.io/gogs (Go) Jun 22, 2026
tenbbughunters Credited to tenbbughunters
OpenClaw: Discord allowFrom could bind to mutable display names High
CVE-2026-53849 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Zalo allowFrom could bind to mutable display names High
CVE-2026-53857 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
Heimdall: IP Spoofing via Unvalidated Forwarding Headers High
GHSA-38x9-25wx-7fg2 was published for https://github.com/dadrus/heimdall (Go) Jun 18, 2026
Duplicate Advisory: Zalo allowFrom could bind to mutable display names High
GHSA-w7m7-3xcf-mp48 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Discord allowFrom could bind to mutable display names High
GHSA-p44v-rx83-vjp4 was published for openclaw (npm) Jun 16, 2026 withdrawn
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator High
CVE-2026-45063 was published for symfony/security-http (Composer) May 27, 2026
Keycloak: Session fixation in OIDC login flow that can lead to account takeover High
CVE-2026-7507 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass High
CVE-2026-24899 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
GHSA-35vf-vw9f-q3cr was published for openclaw (npm) May 6, 2026 withdrawn
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
CVE-2026-44118 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation High
CVE-2026-3902 was published for Django (pip) Apr 7, 2026
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims High
CVE-2026-33175 was published for oauthenticator (pip) Apr 3, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
ProTip! Advisories are also available from the GraphQL API