Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
975
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

51 advisories

Loading
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection Low
CVE-2026-45803 was published for github.com/cli/cli (Go) May 19, 2026
Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape... Low Unreviewed
CVE-2026-47090 was published May 18, 2026
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that... Moderate Unreviewed
CVE-2026-41526 was published Apr 28, 2026
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for... Low Unreviewed
CVE-2026-6019 was published Apr 22, 2026
Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode Moderate
CVE-2026-25996 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
suidpit Credited to suidpit, ndaprela, eiffel-fl, and flyth ndaprela ndaprela
eiffel-fl eiffel-fl flyth flyth
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output,... Moderate Unreviewed
CVE-2026-40505 was published Apr 16, 2026
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an... Critical Unreviewed
CVE-2026-26149 was published Apr 14, 2026
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection Moderate
CVE-2026-35651 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin, KeenSecurityLab, qclawer, anlakii, and simon-reisinger-dynatrace KeenSecurityLab KeenSecurityLab
qclawer qclawer anlakii anlakii simon-reisinger-dynatrace simon-reisinger-dynatrace
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters High
GHSA-27qh-8cxx-2cr5 was published for aws/aws-sdk-php (Composer) Mar 27, 2026
Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences High
CVE-2026-3108 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 26, 2026
An improper neutralization of escape, meta, or control sequences vulnerability has been reported... Moderate Unreviewed
CVE-2025-62845 was published Mar 20, 2026
Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. High Unreviewed
CVE-2025-15311 was published Feb 5, 2026
Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized... High Unreviewed
CVE-2026-21521 was published Jan 23, 2026
Mailpit has an SMTP Header Injection via Regex Bypass Moderate
CVE-2026-23829 was published for github.com/axllent/mailpit (Go) Jan 20, 2026
omarkurt Credited to omarkurt
badkeys vulnerable to ASCII control character injection on console via malformed input Low
CVE-2026-21439 was published for badkeys (pip) Jan 5, 2026
hannob Credited to hannob
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server... Moderate Unreviewed
CVE-2025-65082 was published Dec 5, 2025
Soft Serve does not sanitize ANSI escape sequences in user input Moderate
CVE-2025-64494 was published for github.com/charmbracelet/soft-serve (Go) Nov 6, 2025
Tomer-PL Credited to Tomer-PL and caarlos0 caarlos0 caarlos0
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences Low
CVE-2025-55754 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 27, 2025
aruneko Credited to aruneko
Tracing logging user input may result in poisoning logs with ANSI escape sequences Low
CVE-2025-58160 was published for tracing-subscriber (Rust) Aug 29, 2025
zefr0x Credited to zefr0x
Active Record logging vulnerable to ANSI escape injection Moderate
CVE-2025-55193 was published for activerecord (RubyGems) Aug 13, 2025
th4s1s Credited to th4s1s
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier... High Unreviewed
CVE-2024-47252 was published Jul 10, 2025
Gardener allows metadata injection for a project secret which can lead to privilege escalation Critical
CVE-2025-47284 was published for github.com/gardener/gardener (Go) May 19, 2025
rfranzke Credited to rfranzke, donistz, timuthy, and JordanJordanov donistz donistz
timuthy timuthy JordanJordanov JordanJordanov
Apache Tomcat Rewrite rule bypass Low
CVE-2025-31651 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 28, 2025
amita-seal Credited to amita-seal and taxone taxone taxone
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv... Low Unreviewed
CVE-2024-58251 was published Apr 23, 2025
gurk (aka gurk-rs) mishandles ANSI escape sequences Moderate
CVE-2025-30089 was published for gurk (Rust) Mar 17, 2025
Malayke Credited to Malayke
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database