Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

164 advisories

Loading
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen Credited to wodzen
FroshAdminer Adminer UI is accessible without admin session Moderate
CVE-2026-25878 was published for frosh/adminer-platform (Composer) Feb 10, 2026
xndrdev Credited to xndrdev and Gugiman Gugiman Gugiman
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0 Credited to xtle0o0
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Credited to saivarun3407 and Death-Incarnate Death-Incarnate Death-Incarnate
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API Critical
CVE-2026-25895 was published for fuxa-server (npm) Feb 5, 2026
wodzen Credited to wodzen
FUXA Unauthenticated Exposure of Plaintext Database Credentials Critical
CVE-2026-25751 was published for fuxa-server (npm) Feb 5, 2026
wodzen Credited to wodzen
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply High
CVE-2026-25593 was published for openclaw (npm) Feb 4, 2026
hackerman70000 Credited to hackerman70000
FUXA contains an insecure default configuration vulnerability High
CVE-2025-69970 was published for fuxa-server (npm) Feb 3, 2026
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication Critical
CVE-2026-25505 was published for bambuddy (pip) Feb 2, 2026
Speenah Credited to Speenah
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha Credited to b0b0haha and gaius-qi gaius-qi gaius-qi
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1 Credited to c2an1
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution High
CVE-2026-22812 was published for opencode-ai (npm) Jan 13, 2026
CyberShadow Credited to CyberShadow
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
Bagisto Missing Authentication on Installer API Endpoints High
CVE-2026-21446 was published for bagisto/bagisto (Composer) Jan 2, 2026
mhzcyber Credited to mhzcyber
Langflow Missing Authentication on Critical API Endpoints High
CVE-2026-21445 was published for langflow (pip) Jan 2, 2026
kj84park Credited to kj84park and juh0ng juh0ng juh0ng
Ollama Platform has missing authentication enabling attackers to perform model management operations Critical
CVE-2025-63389 was published for github.com/ollama/ollama (Go) Dec 18, 2025
Step CA Has Authorization Bypass in ACME and SCEP Provisioners Critical
CVE-2025-44005 was published for github.com/smallstep/certificates (Go) Dec 3, 2025
Mattermost fails to validate user permissions in Boards Low
CVE-2025-13870 was published for github.com/mattermost/mattermost (Go) Dec 2, 2025
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change High
GHSA-fjh6-8679-9pch was published for flowise-ui (npm) Nov 14, 2025
mbiesiad Credited to mbiesiad
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials) High
GHSA-x39m-3393-3qp4 was published for flowise-ui (npm) Nov 14, 2025
mbiesiad Credited to mbiesiad
Mattermost does not enforce MFA on WebSocket connections Moderate
CVE-2025-55070 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Moderate
CVE-2025-55073 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL Moderate
CVE-2025-62607 was published for nautobot-ssot (pip) Oct 21, 2025
gsnider2195 Credited to gsnider2195, smk4664, and jdrew82 smk4664 smk4664
jdrew82 jdrew82
Better Auth: Unauthenticated API key creation through api-key plugin High
CVE-2025-61928 was published for better-auth (npm) Oct 9, 2025
etiennelunetta Credited to etiennelunetta
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database