GHSA-7H8W-HJ9J-8RJW

creationtimestamp| type| source ---|---|--- 2026-03-27 03:17:50+00:00| published-proof-of-concept| Telegram/GblWBcVIPYIrXGBoPy7bAM0O64UdRepvGT6caCd3l3fA...

Wazuh 安全漏洞

Wazuh is an open-source application developed by Wazuh. It is used for collecting, summarizing, indexing, and analyzing security data, helping organizations detect intrusions, threats, and abnormal behaviors. Version 4.12.0 of Wazuh contains a security vulnerability. This vulnerability stems from...

PT-2026-28280

Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commit...

CVE-2026-28786

creationtimestamp| type| source ---|---|--- 2026-03-26 23:29:07+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h...

GHSA-3WJR-6GW8-9J22

creationtimestamp| type| source ---|---|--- 2026-03-26 21:36:49+00:00| seen| Telegram/knkV6U7RC4OpKxR0GhJKoJS2C9ZLnhn5rNmC0CAguDvjk...

Incorrect Authorization

Overview @openclaw/tlon is an OpenClaw Tlon/Urbit channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the cite expansion process before authorization is complete. An attacker can access or manipulate content prior to proper authorization by triggering ci...

GO-2026-4862 OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao

OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao...

GO-2026-4829 NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server

NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server...

GO-2026-4838 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint in github.com/lin-snow/ech0

Ech0 authenticated user-list exposed data via public /api/allusers endpoint in github.com/lin-snow/ech0...

GO-2026-4824 A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution in github.com/pinchtab/pinchtab

A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution in github.com/pinchtab/pinchtab...

GO-2026-4817 GoDoxy has a Path Traversal Vulnerability in its File API in github.com/yusing/godoxy

GoDoxy has a Path Traversal Vulnerability in its File API in github.com/yusing/godoxy...

GO-2026-4813 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure in github.com/QuantumNous/new-api

New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure in github.com/QuantumNous/new-api...

GO-2026-4713 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely in github.com/filebrowser/filebrowser

File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely in github.com/filebrowser/filebrowser...

GO-2026-4717 Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration in github.com/akuity/kargo

Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration in github.com/akuity/kargo...

GHSA-4MQ7-PVJG-XP2R

creationtimestamp| type| source ---|---|--- 2026-03-26 19:26:19+00:00| published-proof-of-concept| Telegram/Dv-WNIQSBfenZP-L8llbvWNomtb7L7cuRFseuDShUkzpu6g...

GHSA-4773-3JFM-QMX3 vulnerabilities

Vulnerabilities for packages: kafbat-ui-fips, apache-activemq, nacos-docker, apache-activemq-fips, apache-nifi-registry, thingsboard, kafbat-ui, camunda-zeebe, camunda, nacos...

Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the webhook-security.ts process. An attacker can bypass replay protection and submit multiple authenticated requests by...

GHSA-F9P7-3JQG-HHVQ

creationtimestamp| type| source ---|---|--- 2026-03-26 18:14:49+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/squid-security-advisory-av26-284...

A year of open source vulnerability trends: CVEs, advisories, and malware

GitHub published 4,101 reviewed advisories in 2025. This is the fewest number of reviewed advisories since 2021. Does this mean open source is shipping more secure code? Let's dig into the data to find out. GitHub reviewed advisories Fewer advisories reviewed doesn't mean fewer vulnerabilities we...

CVE-2026-3306

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value...