Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

30,740 advisories

Loading
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author... Critical Unreviewed
CVE-2026-42535 was published Jun 8, 2026
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration ... Critical Unreviewed
CVE-2026-29167 was published Jun 8, 2026
Improper neutralization of special elements used in an SQL command ('SQL injection')... Critical Unreviewed
CVE-2026-7486 was published Jun 9, 2026
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that... Critical Unreviewed
CVE-2017-20251 was published Jun 9, 2026
shell-quote quote() does not escape newlines in object .op values Critical
CVE-2026-9277 was published for shell-quote (npm) Jun 9, 2026
akshatgit Credited to akshatgit and ljharb ljharb ljharb
Malicious code in guardrails-ai 0.10.1 (supply chain compromise) Critical
CVE-2026-45758 was published for guardrails-ai (pip) May 19, 2026
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape Critical
CVE-2026-46442 was published for flowise (npm) May 14, 2026
ESPanda666 Credited to ESPanda666
Paramiko not properly checking authentication before processing other requests Critical
CVE-2018-7750 was published for paramiko (pip) Jul 12, 2018
Insufficient validation of untrusted input in UI in Google Chrome prior to 149.0.7827.103 allowed... Critical Unreviewed
CVE-2026-11697 was published Jun 9, 2026
SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’... Critical Unreviewed
CVE-2026-10731 was published Jun 9, 2026
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 ... Critical Unreviewed
CVE-2026-41031 was published Jun 9, 2026
Use after free in CameraCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote... Critical Unreviewed
CVE-2026-11654 was published Jun 9, 2026
Integer overflow in UI in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote... Critical Unreviewed
CVE-2026-11659 was published Jun 9, 2026
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can... Critical Unreviewed
CVE-2025-15467 was published Jan 27, 2026
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0,... Critical Unreviewed
CVE-2025-59719 was published Dec 9, 2025
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0... Critical Unreviewed
CVE-2025-59718 was published Dec 9, 2025
HAXcms: Private Key Disclosure via Broken HMAC Implementation Critical
CVE-2026-46395 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
shreyas-challa Credited to shreyas-challa
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution Critical
CVE-2026-33728 was published for com.datadoghq:dd-java-agent (Maven) Mar 26, 2026
amine123ait Credited to amine123ait
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input Critical
CVE-2026-42074 was published for openclaude (npm) May 12, 2026
Rosayxy Credited to Rosayxy
pymetasploit3 vulnerable to command injection in console.run_module_with_output() Critical
CVE-2026-5463 was published for pymetasploit3 (pip) Apr 3, 2026
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability Critical
CVE-2026-44211 was published for cline (npm) May 8, 2026
sagilayani Credited to sagilayani
Fastify's connection header abuse enables stripping of proxy-added headers Critical
CVE-2026-33805 was published for @fastify/http-proxy (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) Critical
CVE-2026-33808 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Out-of-bounds Write in actix-web Critical
CVE-2018-25024 was published for actix-web (Rust) Jan 6, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database