Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

837 advisories

Loading
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions Moderate
GHSA-m2m6-cff5-3w7c was published for rwsdk (npm) Apr 24, 2026
mthx Credited to mthx
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
GHSA-rhf7-wvw3-vjvm was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
gabiudrescu Credited to gabiudrescu
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation Moderate
CVE-2026-40948 was published for apache-airflow-providers-keycloak (pip) Apr 18, 2026
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
Authlib: Cross-site request forging when using cache Moderate
GHSA-jj8c-mmj3-mmgv was published for authlib (pip) Apr 16, 2026
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators Moderate
CVE-2026-40929 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion Moderate
CVE-2026-40928 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) High
CVE-2026-40926 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials High
CVE-2026-40925 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation Moderate
CVE-2026-40883 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
MetaGPT has an eval injection via a cross-site request forgery attack Low
CVE-2026-6109 was published for metagpt (pip) Apr 12, 2026
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests High
CVE-2026-39371 was published for rwsdk (npm) Apr 8, 2026
zebbern Credited to zebbern
Nodcms contains a cross-site request forgery vulnerability Moderate
CVE-2016-20054 was published for khodakhah/nodcms (Composer) Apr 4, 2026
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php Moderate
CVE-2026-35181 was published for wwbn/avideo (Composer) Apr 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Moderate
GHSA-mhr7-2xmv-4c4q was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Payload has a CSRF Protection Bypass in Authentication Flow Moderate
CVE-2026-34749 was published for payload (npm) Apr 1, 2026
AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins Moderate
CVE-2026-34613 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users Moderate
CVE-2026-34611 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking High
CVE-2026-34394 was published for wwbn/avideo (Composer) Mar 31, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter Moderate
CVE-2026-34383 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
Admidio has Missing CSRF Protection on Registration Approval Actions Moderate
CVE-2026-34384 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php Moderate
CVE-2026-34382 was published for admidio/admidio (Composer) Mar 31, 2026
JFOZ1010 Credited to JFOZ1010
Mattermost doesn't properly validate CSRF tokens Moderate
CVE-2026-27659 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database