Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

41 advisories

Loading
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs) High
CVE-2026-53999 was published for github.com/radius-project/radius (Go) Jun 12, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to... High Unreviewed
CVE-2026-36608 was published Jun 3, 2026
In getCallingPackageName of Shared.java, there is a possible way to bypass activity start... High Unreviewed
CVE-2026-0098 was published Jun 2, 2026
In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity... High Unreviewed
CVE-2025-48570 was published Jun 2, 2026
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
August829 Credited to August829
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 High
CVE-2026-42043 was published for axios (npm) May 5, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) High
CVE-2026-42313 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET... High Unreviewed
CVE-2026-39906 was published Apr 15, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token High
CVE-2026-40868 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
1seal Credited to 1seal
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities High
CVE-2026-27124 was published for fastmcp (pip) Mar 31, 2026
an7y Credited to an7y
In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr.c, there is a possible escalation of privileges due... High Unreviewed
CVE-2026-0107 was published Mar 10, 2026
In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user... High Unreviewed
CVE-2026-0021 was published Mar 2, 2026
In setupLayout of PickActivity.java, there is a possible way to start any activity as a... High Unreviewed
CVE-2026-0013 was published Mar 2, 2026
In executeRequest of ActivityStarter.java, there is a possible launch anywhere due to a confused... High Unreviewed
CVE-2025-48646 was published Mar 2, 2026
In multiple locations, there is a possible privilege escalation due to a confused deputy. This... High Unreviewed
CVE-2026-0008 was published Mar 2, 2026
In multiple functions of MediaProvider.java, there is a possible external storage write... High Unreviewed
CVE-2025-48579 was published Mar 2, 2026
An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a... High Unreviewed
CVE-2023-31313 was published Feb 12, 2026
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName High
CVE-2026-24470 was published for github.com/zalando/skipper (Go) Jan 26, 2026
b0b0haha Credited to b0b0haha, moyushui, and j311yl0v3u moyushui moyushui
j311yl0v3u j311yl0v3u
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions High
GHSA-3v2x-9xcv-2v2v was published for surrealdb (Rust) Jan 22, 2026
cure53 Credited to cure53 and geraname geraname geraname
Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access High
CVE-2025-11393 was published for github.com/RedHatInsights/runtimes-inventory-operator (Go) Dec 15, 2025
In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image... High Unreviewed
CVE-2025-48628 was published Dec 8, 2025
In onActivityResult of EditFdnContactScreen.java, there is a possible way to leak contacts from... High Unreviewed
CVE-2025-48586 was published Dec 8, 2025
In multiple functions of NotificationStation.java, there is a possible cross-profile information... High Unreviewed
CVE-2025-48555 was published Dec 8, 2025
In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for... High Unreviewed
CVE-2025-48536 was published Dec 8, 2025
In multiple locations, there is a possible way to leak audio files across user profiles due to a... High Unreviewed
CVE-2025-22420 was published Dec 8, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database