Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
69
GitHub Actions
50
Go
3,876
Maven
5,000+
npm
5,000+
NuGet
958
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,363
Swift
54
Unreviewed advisories
All unreviewed
5,000+

470 advisories

Loading
eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges High
GHSA-j5rm-v3vh-vx94 was published for edumfa (pip) May 18, 2026
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions Low
CVE-2026-22706 was published for @strapi/admin (npm) May 13, 2026
zaddy6 Credited to zaddy6, arthurgervais, derrickmehaffy, AndyAnh174, and Aastha2602 arthurgervais arthurgervais
derrickmehaffy derrickmehaffy AndyAnh174 AndyAnh174 Aastha2602 Aastha2602
libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated... Moderate Unreviewed
CVE-2026-5545 was published May 13, 2026
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover High
CVE-2026-44648 was published for sillytavern (npm) May 12, 2026
zzzm0919 Credited to zzzm0919
A session management vulnerability in AOS-8 allows previously authenticated users to retain... Moderate Unreviewed
CVE-2026-44873 was published May 12, 2026
Open WebUI has a CORS misconfiguration and session validation issue High
GHSA-6xcp-7mpr-m7wm was published for open-webui (pip) May 11, 2026
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access High
CVE-2026-44553 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
nhost has Session Persistence After Password Change Low
GHSA-7hgr-xvrr-xpw3 was published for github.com/nhost/nhost (Go) May 8, 2026
skoveit Credited to skoveit
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI High
GHSA-fpw6-hrg5-q5x5 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change Moderate
GHSA-258c-965c-p3hc was published for github.com/daptin/daptin (Go) May 7, 2026
VashuVats Credited to VashuVats
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload Moderate
CVE-2026-45005 was published for openclaw (npm) May 5, 2026
feynman-hou Credited to feynman-hou
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart High
CVE-2026-40934 was published for jupyter-server (pip) May 5, 2026
emin63 Credited to emin63 and Yann-P Yann-P Yann-P
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
Weblate Doesn't Invalidate API Token on Password Change Moderate
CVE-2026-41519 was published for weblate (pip) Apr 30, 2026
whatisproblem Credited to whatisproblem and nijel nijel nijel
A vulnerability exists in SenseLive X3050’s web management interface due to improper session... Moderate Unreviewed
CVE-2026-25720 was published Apr 24, 2026
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-wwc3-c577-533m was published for openclaw (npm) Apr 24, 2026 withdrawn
IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration... Low Unreviewed
CVE-2026-1272 was published Apr 23, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18... Moderate Unreviewed
CVE-2026-6515 was published Apr 22, 2026
A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for... Moderate Unreviewed
CVE-2026-6848 was published Apr 22, 2026
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in... Moderate Unreviewed
CVE-2026-0971 was published Apr 21, 2026
Active access tokens are not revoked or invalidated when a user account is locked within WSO2... Moderate Unreviewed
CVE-2025-12624 was published Apr 16, 2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
CVE-2026-41133 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database