Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

157 advisories

Loading
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router Moderate
CVE-2026-54236 was published for vllm (pip) Jun 17, 2026
SnailSploit Credited to SnailSploit and jperezdealgaba jperezdealgaba jperezdealgaba
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) Moderate
CVE-2026-47768 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
Admidio writes session IDs and auto-login cookie values to application logs Moderate
CVE-2026-47234 was published for admidio/admidio (Composer) May 29, 2026
0x2face Credited to 0x2face, spect3r1, 0xreizouko, ADHAM-KHAIRY, BabaYaga0x01, 00xCanelo, and 0xheg3zy spect3r1 spect3r1
0xreizouko 0xreizouko ADHAM-KHAIRY ADHAM-KHAIRY BabaYaga0x01 BabaYaga0x01 00xCanelo 00xCanelo 0xheg3zy 0xheg3zy
OpenBao's Inline Auth Incorrectly Redacted Headers Moderate
CVE-2026-46358 was published for github.com/openbao/openbao (Go) May 28, 2026
jackyliao123 Credited to jackyliao123
Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions Moderate
GHSA-5wxr-w449-57cm was published for shivammathur/setup-php (GitHub Actions) May 20, 2026
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode Moderate
CVE-2026-45581 was published for org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim (Maven) May 19, 2026
lalalala5678 Credited to lalalala5678 and bestbeforetoday bestbeforetoday bestbeforetoday
OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages Moderate
CVE-2026-45679 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL Moderate
CVE-2026-43826 was published for apache-airflow-providers-opensearch (pip) May 11, 2026
Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL Moderate
CVE-2026-41018 was published for apache-airflow-providers-elasticsearch (pip) May 11, 2026
Spring Cloud Config Server Logged Sensitive Information Moderate
CVE-2026-41004 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
Vercel: Non-interactive mode includes CLI arguments in suggested command output Moderate
CVE-2026-44479 was published for vercel (npm) May 7, 2026
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode Moderate
CVE-2026-42282 was published for n8n-mcp (npm) Apr 25, 2026
Mirr2 Credited to Mirr2
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests Moderate
CVE-2026-41495 was published for n8n-mcp (npm) Apr 23, 2026
S4nso Credited to S4nso
Apache Kafka exposes sensitive information in its DEBUG logs Moderate
CVE-2026-33558 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
Apache Airflow: JWT token appearing in logs Moderate
CVE-2026-31987 was published for apache-airflow (pip) Apr 16, 2026
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs Moderate
CVE-2026-40091 was published for github.com/authzed/spicedb (Go) Apr 14, 2026
juupas Credited to juupas and miparnisari miparnisari miparnisari
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI Moderate
CVE-2025-66236 was published for apache-airflow (pip) Apr 13, 2026
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level Moderate
GHSA-fcmh-qfxc-w685 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Apr 8, 2026
offset Credited to offset
Apache Cassandra has sensitive Information Leak in cqlsh Moderate
CVE-2026-27315 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
Harbor: LDAP password and OIDC secret are not redacted in the audit log Moderate
GHSA-prh4-vhfh-24mj was published for github.com/goharbor/harbor (Go) Mar 26, 2026
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs Moderate
GHSA-xwcj-hwhf-h378 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens Moderate
GHSA-7h7g-x2px-94hj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua and woreksami woreksami woreksami
OneUptime: Password Reset Token Logged at INFO Level Moderate
CVE-2026-32598 was published for oneuptime (npm) Mar 13, 2026
n0rv-TvT Credited to n0rv-TvT
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database