Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

222 advisories

Loading
gitverify has improper tag signature verification Moderate
GHSA-h829-5cg7-6hff was published for github.com/supply-chain-tools/gitverify (Go) Apr 24, 2026
Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege Critical
CVE-2026-40372 was published for Microsoft.AspNetCore.DataProtection (NuGet) Apr 23, 2026
rbhanda Credited to rbhanda
nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge Moderate
CVE-2026-34068 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) High
CVE-2026-40070 was published for bsv-sdk (RubyGems) Apr 9, 2026
sgbett Credited to sgbett
lightrag-hku: JWT Algorithm Confusion Vulnerability Moderate
CVE-2026-39413 was published for lightrag-hku (pip) Apr 8, 2026
OpenClaw: Forged Nostr DMs could create pairing state before signature verification Moderate
CVE-2026-41301 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
StableLib Ed25519 Signature Malleability via Missing S < L Check Moderate
GHSA-x3ff-w252-2g7j was published for @stablelib/ed25519 (npm) Apr 1, 2026
kodareef5 Credited to kodareef5
openssl-encrypt's unverified key bundle from_dict() + to_identity() path allows encryption to attacker keys Moderate
GHSA-8h88-gxp3-j7pg was published for openssl-encrypt (pip) Apr 1, 2026
jose vulnerable to untrusted JWK header key acceptance during signature verification High
CVE-2026-34240 was published for jose (Pub) Mar 31, 2026
splitline Credited to splitline
Zebra has a Consensus Failure due to Improper Verification of V5 Transactions High
CVE-2026-34377 was published for zebra-consensus (Rust) Mar 30, 2026
conradoplg Credited to conradoplg, mpguerra, and alchemydc mpguerra mpguerra
alchemydc alchemydc
nginx-ui Backup Restore Allows Tampering with Encrypted Backups Critical
CVE-2026-33026 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
GHSA-vjqw-w5jr-g9w5 was published for openclaw (npm) Mar 29, 2026 withdrawn
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
libcrux has an Incorrect Check of Signer Response Norm During Verification High
GHSA-cp57-fq8g-qh6v was published for libcrux-ml-dsa (Rust) Mar 26, 2026
jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic High
CVE-2026-4600 was published for jsrsasign (npm) Mar 23, 2026
Unsigned SAML LogoutRequest Acceptance in gosaml2 High
GHSA-pcgw-qcv5-h8ch was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
validateSignature Loop Variable Capture Signature Bypass in goxmldsig High
CVE-2026-33487 was published for github.com/russellhaering/goxmldsig (Go) Mar 18, 2026
tomasilluminati Credited to tomasilluminati
sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey High
CVE-2026-4258 was published for sjcl (npm) Mar 17, 2026
wmorland Credited to wmorland
Authlib JWS JWK Header Injection: Signature Verification Bypass Critical
CVE-2026-27962 was published for authlib (pip) Mar 16, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
CVE-2026-32974 was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
SM9 Infinity-Point Ciphertext Forgery Vulnerability Critical
CVE-2026-32614 was published for github.com/emmansun/gmsm (Go) Mar 13, 2026
Cameudis Credited to Cameudis and sunyxedu sunyxedu sunyxedu
pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT Critical
CVE-2026-29000 was published for org.pac4j:pac4j-jwt (Maven) Mar 5, 2026
fritzdal Credited to fritzdal
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification High
CVE-2026-28802 was published for authlib (pip) Mar 4, 2026
michael-guignard Credited to michael-guignard
AWS-LC has PKCS7_verify Signature Validation Bypass High
GHSA-hfpc-8r3f-gw53 was published for aws-lc-sys (Rust) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database