Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

237 advisories

Loading
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) Moderate
CVE-2026-47768 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
Admidio writes session IDs and auto-login cookie values to application logs Moderate
CVE-2026-47234 was published for admidio/admidio (Composer) May 29, 2026
0x2face Credited to 0x2face, spect3r1, 0xreizouko, ADHAM-KHAIRY, BabaYaga0x01, and 0xheg3zy spect3r1 spect3r1
0xreizouko 0xreizouko ADHAM-KHAIRY ADHAM-KHAIRY BabaYaga0x01 BabaYaga0x01 0xheg3zy 0xheg3zy
OpenBao's Inline Auth Incorrectly Redacted Headers Moderate
CVE-2026-46358 was published for github.com/openbao/openbao (Go) May 28, 2026
jackyliao123 Credited to jackyliao123
Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions Moderate
GHSA-5wxr-w449-57cm was published for shivammathur/setup-php (GitHub Actions) May 20, 2026
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode Moderate
CVE-2026-45581 was published for org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim (Maven) May 19, 2026
lalalala5678 Credited to lalalala5678 and bestbeforetoday bestbeforetoday bestbeforetoday
OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages Moderate
CVE-2026-45679 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled Low
CVE-2026-44969 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer High
CVE-2026-44516 was published for com.ritense.valtimo:web (Maven) May 11, 2026
Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL Moderate
CVE-2026-41018 was published for apache-airflow-providers-elasticsearch (pip) May 11, 2026
Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL Moderate
CVE-2026-43826 was published for apache-airflow-providers-opensearch (pip) May 11, 2026
Spring Cloud Config Server Logged Sensitive Information Moderate
CVE-2026-41004 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
Vercel: Non-interactive mode includes CLI arguments in suggested command output Moderate
CVE-2026-44479 was published for vercel (npm) May 7, 2026
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode Moderate
CVE-2026-42282 was published for n8n-mcp (npm) Apr 25, 2026
Mirr2 Credited to Mirr2
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests Moderate
CVE-2026-41495 was published for n8n-mcp (npm) Apr 23, 2026
S4nso Credited to S4nso
Apache Kafka exposes sensitive information in its DEBUG logs Moderate
CVE-2026-33558 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out) High
GHSA-f5v8-v6q3-q4h6 was published for Meridian.Mapping (NuGet) Apr 16, 2026
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
Apache Airflow: JWT token appearing in logs Moderate
CVE-2026-31987 was published for apache-airflow (pip) Apr 16, 2026
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
Oxia exposes bearer token in debug log messages on authentication failure High
CVE-2026-40945 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs Moderate
CVE-2026-40091 was published for github.com/authzed/spicedb (Go) Apr 14, 2026
juupas Credited to juupas and miparnisari miparnisari miparnisari
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI Moderate
CVE-2025-66236 was published for apache-airflow (pip) Apr 13, 2026
Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File High
CVE-2026-34487 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level Moderate
GHSA-fcmh-qfxc-w685 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Apr 8, 2026
offset Credited to offset
Apache Cassandra has sensitive Information Leak in cqlsh Moderate
CVE-2026-27315 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database