Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,618
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

1,582 advisories

Loading
wisp has Allocation of Resources Without Limits or Throttling High
CVE-2026-32145 was published for wisp (Erlang) Apr 3, 2026
jtdowney Credited to jtdowney and lpil lpil lpil
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders Moderate
GHSA-m6fx-m8hc-572m was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS Moderate
GHSA-w85g-3h6x-4xh2 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw runs Discord audio preflight transcription before member authorization Moderate
GHSA-hhff-fj5f-qg48 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification Moderate
GHSA-qcc3-jqwp-5vh2 was published for openclaw (npm) Apr 2, 2026
nexrin Credited to nexrin
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads High
CVE-2026-34829 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters High
CVE-2026-34827 was published for rack (RubyGems) Apr 2, 2026
TaiPhung217 Credited to TaiPhung217, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges Moderate
CVE-2026-34826 was published for rack (RubyGems) Apr 2, 2026
orenyomtov Credited to orenyomtov, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an... Low Unreviewed
CVE-2025-66487 was published Apr 2, 2026
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS Low
CVE-2026-34517 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has a Multipart Header Size Bypass Moderate
CVE-2026-34516 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector Low
CVE-2026-34513 was published for aiohttp (pip) Apr 1, 2026
gonas0919 Credited to gonas0919
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage Moderate
CVE-2026-22815 was published for aiohttp (pip) Apr 1, 2026
sg3-141-592 Credited to sg3-141-592 and Dreamsorcerer Dreamsorcerer Dreamsorcerer
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades Moderate
GHSA-f44p-c7w9-7xr7 was published for openclaw (npm) Mar 31, 2026
topsec-bunney Credited to topsec-bunney
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart Critical
GHSA-h45m-mgcp-q388 was published for openssl-encrypt (pip) Mar 31, 2026
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received... High Unreviewed
CVE-2026-21710 was published Mar 30, 2026
go-git: Maliciously crafted idx file can cause asymmetric memory consumption Moderate
CVE-2026-34165 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
GHSA-c447-w54g-f55j was published for openclaw (npm) Mar 29, 2026 withdrawn
Fleet's unbounded request body read allows remote Denial of Service High
CVE-2026-26061 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
fuzzztf Credited to fuzzztf and MagnusHJensen MagnusHJensen MagnusHJensen
Incus vulnerable to denial of source through crafted bucket backup file Moderate
CVE-2026-33743 was published for github.com/lxc/incus (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service Moderate
CVE-2026-33541 was published for miraheze/ts-portal (Composer) Mar 27, 2026
Universal-Omega Credited to Universal-Omega
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
GHSA-4qwc-c7g9-4xcw was published for openclaw (npm) Mar 26, 2026
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions <... High Unreviewed
CVE-2026-27663 was published Mar 26, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database