GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
55 advisories
Filter by severity
GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward
Moderate
CVE-2026-45045
was published
for
github.com/gofiber/fiber/v2
(Go)
Jul 2, 2026
chi Has an IP Spoofing Vulnerability in `middleware.RealIP`
Moderate
GHSA-3fxj-6jh8-hvhx
was published
for
github.com/go-chi/chi/v5/middleware
(Go)
Jun 25, 2026
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
Moderate
CVE-2026-54308
was published
for
n8n
(npm)
Jun 16, 2026
NocoDB: Cross-Workspace Integration Use in Connection Test
Moderate
CVE-2026-47381
was published
for
nocodb
(npm)
Jun 5, 2026
Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
Moderate
CVE-2026-48016
was published
for
shopware/core
(Composer)
Jun 4, 2026
Matrix Rust SDK: Sender-binding gaps in to-device and room-key attribution
Moderate
CVE-2026-45056
was published
for
matrix-sdk-crypto
(Rust)
Jun 4, 2026
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret
Moderate
CVE-2026-44476
was published
for
doorkeeper-openid_connect
(RubyGems)
Jun 4, 2026
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
Moderate
CVE-2026-45074
was published
for
symfony/security-http
(Composer)
May 27, 2026
Fleet: IP spoofing allows bypassing API rate limiting
Moderate
CVE-2026-46356
was published
for
github.com/fleetdm/fleet/v4
(Go)
May 14, 2026
Fleet has a rate limiting bypass via untrusted client IP headers
Moderate
CVE-2026-24000
was published
for
github.com/fleetdm/fleet/v4
(Go)
May 14, 2026
Duplicate Advisory: OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
Moderate
GHSA-hgwr-wr8h-rxm7
was published
for
openclaw
(npm)
Apr 10, 2026
•
withdrawn
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
Moderate
CVE-2026-39411
was published
for
@lobehub/lobehub
(npm)
Apr 8, 2026
Electron: Service worker can spoof executeJavaScript IPC replies
Moderate
CVE-2026-34778
was published
for
electron
(npm)
Apr 3, 2026
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Moderate
CVE-2026-33433
was published
for
github.com/traefik/traefik/v2
(Go)
Mar 27, 2026
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
Moderate
CVE-2026-35656
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
Moderate
CVE-2026-35622
was published
for
openclaw
(npm)
Mar 26, 2026
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers
Moderate
CVE-2026-33246
was published
for
github.com/nats-io/nats-server
(Go)
Mar 24, 2026
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
Moderate
CVE-2026-33223
was published
for
github.com/nats-io/nats-server
(Go)
Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token
Moderate
CVE-2026-33621
was published
for
github.com/pinchtab/pinchtab
(Go)
Mar 24, 2026
OpenClaw Loopback CDP probe can leak Gateway token to local listener
Moderate
CVE-2026-22174
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
Moderate
CVE-2026-32045
was published
for
openclaw
(npm)
Mar 3, 2026
n8n has Webhook Forgery on Zendesk Trigger Node
Moderate
GHSA-38c7-23hj-2wgq
was published
for
n8n
(npm)
Feb 26, 2026
n8n: Webhook Forgery on Github Webhook Trigger
Moderate
CVE-2026-56357
was published
for
n8n
(npm)
Feb 26, 2026
OpenClaw Telegram allowlist authorization accepted mutable usernames
Moderate
CVE-2026-28480
was published
for
clawdbot
(npm)
Feb 18, 2026
OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
Moderate
CVE-2026-28471
was published
for
openclaw
(npm)
Feb 17, 2026
ProTip!
Advisories are also available from the
GraphQL API