Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

8,810 advisories

Loading
Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150. Moderate Unreviewed
CVE-2026-6755 was published Apr 21, 2026
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function... Moderate Unreviewed
CVE-2026-6589 was published Apr 20, 2026
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation Moderate
CVE-2026-40948 was published for apache-airflow-providers-keycloak (pip) Apr 18, 2026
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2... Moderate Unreviewed
CVE-2026-28741 was published Apr 17, 2026
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request... Moderate Unreviewed
CVE-2026-6451 was published Apr 17, 2026
Authlib: Cross-site request forging when using cache Moderate
GHSA-jj8c-mmj3-mmgv was published for authlib (pip) Apr 16, 2026
Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows... Moderate Unreviewed
CVE-2025-15635 was published Apr 15, 2026
Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request... Moderate Unreviewed
CVE-2025-53444 was published Apr 15, 2026
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms... High Unreviewed
CVE-2026-40764 was published Apr 15, 2026
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators Moderate
CVE-2026-40929 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion Moderate
CVE-2026-40928 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) High
CVE-2026-40926 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials High
CVE-2026-40925 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation Moderate
CVE-2026-40883 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform... Moderate Unreviewed
CVE-2026-40041 was published Apr 13, 2026
Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows... Moderate Unreviewed
CVE-2019-25708 was published Apr 12, 2026
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to... High Unreviewed
CVE-2019-25693 was published Apr 12, 2026
MetaGPT has an eval injection via a cross-site request forgery attack Low
CVE-2026-6109 was published for metagpt (pip) Apr 12, 2026
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all... Moderate Unreviewed
CVE-2026-1924 was published Apr 10, 2026
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery... Moderate Unreviewed
CVE-2026-0811 was published Apr 8, 2026
The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all... Moderate Unreviewed
CVE-2024-11416 was published Apr 8, 2026
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request... Moderate Unreviewed
CVE-2024-10726 was published Apr 8, 2026
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin... Moderate Unreviewed
CVE-2026-1672 was published Apr 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database