GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
9 advisories
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Moderate
CVE-2026-25500
was published
for
rack
(RubyGems)
Feb 17, 2026
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
High
CVE-2026-34601
was published
for
@xmldom/xmldom
(npm)
Apr 1, 2026
RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration
Moderate
CVE-2026-39360
was published
for
rustfs
(Rust)
Apr 8, 2026
CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification
High
CVE-2026-32936
was published
for
github.com/coredns/coredns
(Go)
Apr 28, 2026
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
High
CVE-2026-44240
was published
for
basic-ftp
(npm)
May 6, 2026
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
High
CVE-2026-44724
was published
for
systeminformation
(npm)
May 13, 2026
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
High
CVE-2026-45539
was published
for
apm
(pip)
May 18, 2026
rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
Moderate
CVE-2026-45784
was published
for
openssl
(Rust)
May 19, 2026
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
Moderate
CVE-2026-48525
was published
for
pyjwt
(pip)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API