Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

127,899 advisories

Loading
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client High
CVE-2026-1528 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware High
GHSA-cwxj-rr6w-m6w7 was published for Scrapy (pip) Mar 13, 2026
Tomer-PL Credited to Tomer-PL
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-32260 was published for deno (Rust) Mar 13, 2026
rtvkiz Credited to rtvkiz
Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to... High Unreviewed
CVE-2026-3914 was published Mar 12, 2026
Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker... High Unreviewed
CVE-2026-3913 was published Mar 12, 2026
Heap buffer overflow in Skia in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to... High Unreviewed
CVE-2026-3931 was published Mar 12, 2026
Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. High Unreviewed
CVE-2026-26141 was published Mar 10, 2026
Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute... High Unreviewed
CVE-2026-26108 was published Mar 10, 2026
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution High
CVE-2026-29783 was published for @github/copilot (npm) Mar 6, 2026
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries High
GHSA-4w7m-58cg-cmff was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
flatted vulnerable to unbounded recursion DoS in parse() revive phase High
CVE-2026-32141 was published for flatted (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Poseidon V1 variable-length input collision via implicit zero-padding High
CVE-2026-32129 was published for soroban-poseidon (Rust) Mar 13, 2026
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite High
CVE-2026-32116 was published for magic-wormhole (pip) Mar 13, 2026
ikmckenz Credited to ikmckenz
Emails sent by pretix can utilize placeholders that will be filled with customer data. For... High Unreviewed
CVE-2026-2451 was published Feb 16, 2026
Black: Arbitrary file writes from unsanitized user input in cache file name High
CVE-2026-32274 was published for black (pip) Mar 12, 2026
fg0x0 Credited to fg0x0
Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters High
CVE-2026-32247 was published for graphiti-core (pip) Mar 12, 2026
romain-deperne Credited to romain-deperne
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink High
CVE-2026-32232 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint High
CVE-2026-32246 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password... High Unreviewed
CVE-2025-70798 was published Mar 10, 2026
Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password... High Unreviewed
CVE-2025-70802 was published Mar 10, 2026
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit... High Unreviewed
CVE-2025-69654 was published Mar 6, 2026
Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker... High Unreviewed
CVE-2026-3915 was published Mar 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database