Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,277 advisories

Loading
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection Low
CVE-2026-45803 was published for github.com/cli/cli (Go) May 19, 2026
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs Low
CVE-2026-45739 was published for strawberry-graphql (pip) May 19, 2026
lpschroer Credited to lpschroer, bellini666, and patrick91 bellini666 bellini666
patrick91 patrick91
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
go-git: Improper single-quote escaping in go-git SSH transport Low
CVE-2026-45570 was published for github.com/go-git/go-git (Go) May 19, 2026
N0zoM1z0 Credited to N0zoM1z0 and hiddeco hiddeco hiddeco
Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability Low
CVE-2026-7860 was published for com.vaadin:flow-gradle-plugin (Maven) May 19, 2026
Summarize contains a missing authorization vulnerability Low
CVE-2026-45244 was published for @steipete/summarize (npm) May 18, 2026
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp Low
GHSA-jgg6-4rpr-wfh7 was published for @mistralai/mistralai (npm) May 18, 2026
jean-malo Credited to jean-malo
Sulu: Used API Keys may be available via Admin API Low
GHSA-9m6v-8fxc-4r44 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, and alexander-schranz mamazu mamazu
alexander-schranz alexander-schranz
LibreNMS: Cross-Site Scripting in ShowConfigController Low
CVE-2026-2728 was published for librenms/librenms (Composer) May 18, 2026
YuriNek0 Credited to YuriNek0
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML Low
GHSA-97r8-rf7q-wmjw was published for @sveltia/cms (npm) May 18, 2026
blacksolo1 Credited to blacksolo1
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command Low
CVE-2026-6333 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't check if {{team_id}} was being changed when updating playbooks Low
CVE-2026-4286 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost doesn't escape some variables that could contain malicious content during error page composition Low
CVE-2026-3495 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow Low
CVE-2026-6334 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Low
CVE-2026-4273 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
AMF Vulnerable to Improper Resource Shutdown or Release Low
CVE-2026-8783 was published for github.com/omec-project/amf (Go) May 18, 2026
AMF Improperly Restricts Operations within the Bounds of a Memory Buffer Low
CVE-2026-8779 was published for github.com/omec-project/amf (Go) May 18, 2026
AMF Improperly Restricts Operations within the Bounds of a Memory Buffer Low
CVE-2026-8780 was published for github.com/omec-project/amf (Go) May 18, 2026
AMF Vulnerable to Improper Resource Shutdown or Release Low
CVE-2026-8782 was published for github.com/omec-project/amf (Go) May 18, 2026
AMF Vulnerable to Improper Resource Shutdown or Release Low
CVE-2026-8781 was published for github.com/omec-project/amf (Go) May 18, 2026
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue Low
CVE-2026-8769 was published for @ai-sdk/provider-utils (npm) May 18, 2026
@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Low
CVE-2026-8766 was published for @kilocode/cli (npm) May 18, 2026
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py Low
CVE-2026-8754 was published for AstrBot (pip) May 17, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database