GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
78 advisories
Filter by severity
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
Moderate
CVE-2026-54068
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Moderate
GHSA-q855-8rh5-jfgq
was published
for
ha-mcp
(pip)
Jul 7, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade
Moderate
CVE-2026-54776
was published
for
CoreWCF.UnixDomainSocket
(NuGet)
Jun 19, 2026
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint
Moderate
GHSA-35w5-pcw4-jx94
was published
for
praisonaiagents
(pip)
Jun 18, 2026
epa4all-client: Unauthenticated REST API for Patient Record Writes
Moderate
CVE-2026-47672
was published
for
com.oviva.telematik:epa4all-rest-service
(Maven)
Jun 4, 2026
Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets
Moderate
CVE-2026-47671
was published
for
github.com/nhost/nhost
(Go)
Jun 4, 2026
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
Moderate
CVE-2026-47212
was published
for
symfony/symfony
(Composer)
May 29, 2026
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection
Moderate
CVE-2026-47122
was published
for
github.com/sparkle-project/Sparkle
(Swift)
May 29, 2026
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection
Moderate
CVE-2026-45755
was published
for
symfony/mailtrap-mailer
(Composer)
May 28, 2026
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
Moderate
CVE-2026-45754
was published
for
symfony/lox24-notifier
(Composer)
May 28, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Moderate
GHSA-9v4j-7g44-qcqw
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
Moderate
CVE-2026-45577
was published
for
neotoma
(npm)
May 18, 2026
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
Moderate
CVE-2026-45610
was published
for
WWBN/AVideo
(Composer)
May 15, 2026
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
Moderate
CVE-2026-45397
was published
for
open-webui
(pip)
May 14, 2026
mem0 server lacks authentication and authorization controls for its memory deletion API endpoint
Moderate
CVE-2026-31241
was published
for
mem0ai
(pip)
May 12, 2026
mem0 server lacks authentication and authorization controls for its memory creation API endpoint
Moderate
CVE-2026-31245
was published
for
mem0ai
(pip)
May 12, 2026
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation
Moderate
GHSA-rgj7-vg8v-j4wr
was published
for
github.com/lin-snow/ech0
(Go)
May 7, 2026
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
Moderate
CVE-2026-43881
was published
for
wwbn/avideo
(Composer)
May 5, 2026
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection
Moderate
CVE-2026-42303
was published
for
ethyca-fides
(pip)
May 5, 2026
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
Moderate
CVE-2026-42312
was published
for
pyload-ng
(pip)
May 4, 2026
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials
Moderate
GHSA-92jp-89mq-4374
was published
for
openclaw
(npm)
Apr 17, 2026
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Moderate
CVE-2026-56270
was published
for
flowise
(npm)
Apr 16, 2026
Temporal does not enforce authentication and authorization for the streaming AdminService/StreamWorkflowReplicationMessages endpoint
Moderate
CVE-2026-5724
was published
for
go.temporal.io/server
(Go)
Apr 10, 2026
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Moderate
CVE-2026-35450
was published
for
wwbn/avideo
(Composer)
Apr 4, 2026
ProTip!
Advisories are also available from the
GraphQL API