Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

437 advisories

Loading
Supply chain compromise via malicious @cap-js/openapi Critical
GHSA-jpvj-wpmj-h7rv was published for @cap-js/openapi (npm) Jun 4, 2026
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) Critical
CVE-2026-46421 was published for @cap-js/db-service (npm) May 20, 2026
patricebender Credited to patricebender and chgeo chgeo chgeo
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm Critical
CVE-2026-46412 was published for @beproduct/nestjs-auth (npm) May 19, 2026
Malicious code in guardrails-ai 0.10.1 (supply chain compromise) Critical
CVE-2026-45758 was published for guardrails-ai (pip) May 19, 2026
Malware in @opensearch-project/opensearch Critical
GHSA-27f5-xjrr-q9ff was published for @opensearch-project/opensearch (npm) May 19, 2026
Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp Low
GHSA-jgg6-4rpr-wfh7 was published for @mistralai/mistralai (npm) May 18, 2026
jean-malo Credited to jean-malo
Malicious dropper in mistralai 2.4.6 PyPI package Critical
GHSA-wx9m-wx4f-4cmg was published for mistralai (pip) May 18, 2026
nullcharb Credited to nullcharb
A supply chain attack compromised the official installation packages of DAEMON Tools Lite ... Critical Unreviewed
CVE-2026-8398 was published May 15, 2026
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys Critical
CVE-2026-45321 was published for @tanstack/arktype-adapter (npm) May 12, 2026
ashishkurmi Credited to ashishkurmi
Compromised version of intercom-client published to npm Critical
GHSA-54pg-9963-v8vg was published for intercom-client (npm) May 7, 2026
Compromised tag of intercom-php published via GitHub Critical
GHSA-gr3r-crp5-qrrm was published for intercom/intercom-php (Composer) May 7, 2026
Compromise of PyTorch Lightning PyPi Package Versions Critical
CVE-2026-44484 was published for pytorch-lightning (pip) May 7, 2026
`mysten-metrics` was removed from crates.io for malicious code Critical
GHSA-g38r-8gmr-ghrf was published for mysten-metrics (Rust) May 4, 2026
`sui-execution-cut` was removed from crates.io for malicious code Critical
GHSA-qprh-m6p3-hwxc was published for sui-execution-cut (Rust) May 4, 2026
The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in... Critical Unreviewed
CVE-2026-6443 was published Apr 17, 2026
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access... Critical Unreviewed
CVE-2026-34424 was published Apr 10, 2026
Axios npm Supply Chain Incident Impacting @usebruno/cli Critical
CVE-2026-34841 was published for @usebruno/cli (npm) Apr 2, 2026
Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2 Critical
GHSA-955r-262c-33jc was published for telnyx (pip) Mar 30, 2026
Two LiteLLM versions published containing credential harvesting malware Critical
GHSA-5mg7-485q-xm76 was published for litellm (pip) Mar 25, 2026
Trivy ecosystem supply chain was briefly compromised Critical
CVE-2026-33634 was published for aquasecurity/setup-trivy (GitHub Actions) Mar 24, 2026
xygeni-action v5 tag poisoned with C2 backdoor Critical
CVE-2026-31976 was published for xygeni/xygeni-action (GitHub Actions) Mar 11, 2026
Nick2bad4u Credited to Nick2bad4u
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The... Moderate Unreviewed
CVE-2024-10938 was published Feb 27, 2026
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
`sha-rst` was removed from crates.io for malicious code Critical
GHSA-vgr2-r5hm-f6gf was published for sha-rst (Rust) Feb 12, 2026
`finch_cli_rust` was removed from crates.io for malicious code Critical
GHSA-6v2j-vr4h-f632 was published for finch_cli_rust (Rust) Feb 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database