Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,347 advisories

Loading
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
GHSA-qc5p-3mg5-9fh8 was published for avo (RubyGems) Apr 24, 2026
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object... Moderate Unreviewed
CVE-2026-6810 was published Apr 24, 2026
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to... Moderate Unreviewed
CVE-2026-2028 was published Apr 24, 2026
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name... High Unreviewed
CVE-2026-6375 was published Apr 23, 2026
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly... Moderate Unreviewed
CVE-2025-66286 was published Apr 23, 2026
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up... High Unreviewed
CVE-2026-5617 was published Apr 22, 2026
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure... Moderate Unreviewed
CVE-2026-1541 was published Apr 22, 2026
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated... Critical Unreviewed
CVE-2018-25270 was published Apr 22, 2026
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process... High Unreviewed
CVE-2026-5750 was published Apr 22, 2026
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in... High Unreviewed
CVE-2026-5845 was published Apr 22, 2026
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an... Moderate Unreviewed
CVE-2026-3307 was published Apr 22, 2026
An insecure direct object reference vulnerability in the Users API component of Crafty Controller... Critical Unreviewed
CVE-2026-5652 was published Apr 21, 2026
Neko has a Self-service Privilege Escalation for Authenticated Users High
CVE-2026-39386 was published for github.com/m1k1o/neko/server (Go) Apr 21, 2026
blitzkrieg-patch Credited to blitzkrieg-patch
A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated... Moderate Unreviewed
CVE-2025-66954 was published Apr 20, 2026
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials High
CVE-2026-41279 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
CVE-2026-41277 was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all... Moderate Unreviewed
CVE-2026-5234 was published Apr 17, 2026
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise Critical
GHSA-3xx2-mqjm-hg9x was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association High
CVE-2026-41267 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar High
CVE-2026-40308 was published for joedolson/my-calendar (Composer) Apr 16, 2026
minhi1 Credited to minhi1
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin... Moderate Unreviewed
CVE-2026-4160 was published Apr 16, 2026
Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo... Moderate Unreviewed
CVE-2026-40737 was published Apr 15, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif... High Unreviewed
CVE-2026-40784 was published Apr 15, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens Moderate
CVE-2026-40907 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database