Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,296 advisories

Loading
Keycloak's identity-first login flow exposes user information Low
CVE-2026-4633 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
dnegreira Credited to dnegreira and julianladisch julianladisch julianladisch
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials Low
CVE-2026-54327 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass Low
CVE-2026-54326 was published for @earendil-works/pi-coding-agent (npm) Jun 16, 2026
urianpaul94 Credited to urianpaul94
Cross-site scripting via <NoScript> slot content in Nuxt's head components Low
GHSA-m3q2-p4fw-w38m was published for nuxt (npm) Jun 16, 2026
alcls01111 Credited to alcls01111
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output Low
GHSA-8rfp-98v4-mmr6 was published for bleach (pip) Jun 16, 2026
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json` Low
GHSA-rq7w-g337-39qq was published for nuxt (npm) Jun 15, 2026
manop55555 Credited to manop55555
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname Low
CVE-2026-54282 was published for Starlette (pip) Jun 15, 2026
nic-lovin Credited to nic-lovin
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory Low
CVE-2026-53540 was published for python-multipart (pip) Jun 15, 2026
lullu57 Credited to lullu57 and seok-hee97 seok-hee97 seok-hee97
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters Low
CVE-2026-53537 was published for python-multipart (pip) Jun 15, 2026
0xkakash1 Credited to 0xkakash1 and sammiee5311 sammiee5311 sammiee5311
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output Low
GHSA-vxr8-fq34-vvx9 was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections Low
CVE-2026-54275 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect Low
CVE-2026-54280 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence Low
CVE-2026-54279 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: CRLF injection in multipart headers Low
CVE-2026-50269 was published for aiohttp (pip) Jun 15, 2026
tonghuaroot Credited to tonghuaroot and Dreamsorcerer Dreamsorcerer Dreamsorcerer
React Router: Potential CSRF via PUT/PATCH/DELETE document requests Low
CVE-2026-53663 was published for @remix-run/server-runtime (npm) Jun 15, 2026
gasbugs Credited to gasbugs
DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes Low
GHSA-gvmj-g25r-r7wr was published for dompurify (npm) Jun 15, 2026
IamLeandrooooo Credited to IamLeandrooooo
DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects Low
GHSA-x4vx-rjvf-j5p4 was published for dompurify (npm) Jun 15, 2026
PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS) Low
CVE-2026-48524 was published for pyjwt (pip) Jun 15, 2026
@babel/core: Arbitrary File Read via sourceMappingURL Comment Low
CVE-2026-49356 was published for @babel/core (npm) Jun 15, 2026
radoi-teodor Credited to radoi-teodor, JLHwung, nicolo-ribaudo, and liuxingbaoyu JLHwung JLHwung
nicolo-ribaudo nicolo-ribaudo liuxingbaoyu liuxingbaoyu
esbuild allows arbitrary file read when running the development server on Windows Low
GHSA-g7r4-m6w7-qqqr was published for esbuild (npm) Jun 12, 2026
dellalibera Credited to dellalibera
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
TYPO3 CMS has Broken Access Control in its File Abstraction Layer Low
CVE-2026-49738 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Low
CVE-2026-47344 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
ohader Credited to ohader
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database