Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

11,261 advisories

Loading
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard High
CVE-2026-54290 was published for hono (npm) Jun 16, 2026
fg0x0 Credited to fg0x0
Astro: Reflected XSS via unescaped slot name High
CVE-2026-50146 was published for astro (npm) Jun 16, 2026
floudeciel Credited to floudeciel
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher High
CVE-2026-53721 was published for nuxt (npm) Jun 16, 2026
aws-cdk-lib: OS Command Injection in NodejsFunction Bundling High
CVE-2026-11417 was published for aws-cdk-lib (npm) Jun 15, 2026
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length High
CVE-2026-50011 was published for io.netty:netty-codec-redis (Maven) Jun 15, 2026
violetagg Credited to violetagg
Netty: Wrapping plain trust manager silently disables hostname verification High
CVE-2026-50010 was published for io.netty:netty-handler (Maven) Jun 15, 2026
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion High
CVE-2026-48748 was published for io.netty:netty-codec-http3 (Maven) Jun 15, 2026
violetagg Credited to violetagg
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS High
CVE-2026-54283 was published for starlette (pip) Jun 15, 2026
EthanKim88 Credited to EthanKim88, Z-Bra0, Moaaz-0x, moizxsec, aest3ra, and oxqnd Z-Bra0 Z-Bra0
Moaaz-0x Moaaz-0x moizxsec moizxsec aest3ra aest3ra oxqnd oxqnd
Nest: Middleware Bypass on Fastify via Trailing Slash High
CVE-2026-54281 was published for @nestjs/platform-fastify (npm) Jun 15, 2026
a-tt-om Credited to a-tt-om and kamilmysliwiec kamilmysliwiec kamilmysliwiec
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service High
CVE-2026-53539 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb) High
CVE-2026-49855 was published for tornado (pip) Jun 15, 2026
yuui25 Credited to yuui25
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows High
CVE-2026-48818 was published for starlette (pip) Jun 15, 2026
nvn1729 Credited to nvn1729
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names High
CVE-2026-54271 was published for protobufjs-cli (npm) Jun 15, 2026
JacobBrackett Credited to JacobBrackett and dcodeIO dcodeIO dcodeIO
Vulnerable OpenSSL included in cryptography wheels High
GHSA-537c-gmf6-5ccf was published for cryptography (pip) Jun 15, 2026
Microsoft Security Advisory CVE-2026-45591 – ASP.NET Core Denial of Service Vulnerability High
CVE-2026-45591 was published for Microsoft.AspNetCore.App.Runtime.linux-x64 (NuGet) Jun 15, 2026
PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed High
CVE-2026-48526 was published for pyjwt (pip) Jun 15, 2026
aradona91 Credited to aradona91
protobufjs: Denial of service through unbounded Any expansion during JSON conversion High
CVE-2026-48712 was published for protobufjs (npm) Jun 15, 2026
EchoSkorJjj Credited to EchoSkorJjj, yueyueL, and dcodeIO yueyueL yueyueL
dcodeIO dcodeIO
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes High
CVE-2026-48489 was published for symfony/security-http (Composer) Jun 15, 2026
a-tt-om Credited to a-tt-om, teebow1e, and nicolas-grekas teebow1e teebow1e
nicolas-grekas nicolas-grekas
form-data: CRLF injection in form-data via unescaped multipart field names and filenames High
CVE-2026-12143 was published for form-data (npm) Jun 15, 2026
yueyueL Credited to yueyueL
@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker High
CVE-2026-54264 was published for @angular/service-worker (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, JeanMeche, and josephperrott alan-agius4 alan-agius4
JeanMeche JeanMeche josephperrott josephperrott
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate) High
CVE-2026-54268 was published for @angular/common (npm) Jun 15, 2026
JeanMeche Credited to JeanMeche, alan-agius4, SkyZeroZx, and josephperrott alan-agius4 alan-agius4
SkyZeroZx SkyZeroZx josephperrott josephperrott
@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning High
CVE-2026-54266 was published for @angular/common (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, JeanMeche, and josephperrott JeanMeche JeanMeche
josephperrott josephperrott
@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR High
CVE-2026-50556 was published for @angular/platform-server (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, and josephperrott alan-agius4 alan-agius4
josephperrott josephperrott
@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-50555 was published for @angular/platform-server (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, and josephperrott alan-agius4 alan-agius4
josephperrott josephperrott
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database