Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

13,830 advisories

Loading
File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames Moderate
CVE-2026-54093 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope Moderate
CVE-2026-54094 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
DavidCarliez Credited to DavidCarliez, hacdias, m2hcz, and alanturing881 hacdias hacdias
m2hcz m2hcz alanturing881 alanturing881
ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing Moderate
GHSA-vc8p-8pxg-rfwg was published for org.connectbot.sshlib:sshlib (Maven) Jun 12, 2026
Pig-Tail Credited to Pig-Tail and kruton kruton kruton
ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation Moderate
GHSA-ch3q-cw5r-f4hg was published for org.connectbot.sshlib:sshlib (Maven) Jun 12, 2026
kruton Credited to kruton
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint Moderate
CVE-2026-46371 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint Moderate
CVE-2026-46370 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization Moderate
CVE-2026-44311 was published for fabric (npm) Jun 12, 2026
PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures Moderate
GHSA-chgr-c6px-7xpp was published for pyo3 (Rust) Jun 12, 2026
TYPO3 CMS has Broken Access Control in the Recycler Module Moderate
CVE-2026-47349 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has an Open Redirect Vulnerability via Core Utilities Moderate
CVE-2026-47347 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Moderate
CVE-2026-47345 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its DataHandler Moderate
CVE-2026-47350 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Insecure Deserialization via Core API Moderate
CVE-2026-49740 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in Backend API Moderate
CVE-2026-47352 was published for typo3/cms-backend (Composer) Jun 12, 2026
TYPO3 CMS: Broken Access Control in Media Module Moderate
CVE-2026-47351 was published for typo3/cms-backend (Composer) Jun 12, 2026
TYPO3 CMS has Cross-Site Scripting in Indexed Search Moderate
CVE-2026-47348 was published for typo3/cms-core (Composer) Jun 12, 2026
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams Moderate
CVE-2026-48156 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for large offsets for layout mode text Moderate
CVE-2026-48155 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362) Moderate
CVE-2026-48154 was published for github.com/pilinux/gorest (Go) Jun 12, 2026
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF Moderate
CVE-2026-48148 was published for @budibase/server (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker Moderate
CVE-2026-48147 was published for @budibase/backend-core (npm) Jun 12, 2026
b-hermes Credited to b-hermes
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution Moderate
CVE-2025-58175 was published for org.geoserver.web:gs-web-app (Maven) Jun 12, 2026
lemauanhphong Credited to lemauanhphong and jodygarnett jodygarnett jodygarnett
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step Moderate
CVE-2026-48128 was published for budibase (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length Moderate
CVE-2026-28975 was published for github.com/apple/swift-nio-extras (Swift) Jun 12, 2026
nathanielmiller23 Credited to nathanielmiller23
SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator Moderate
CVE-2026-28970 was published for github.com/apple/swift-nio (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran and YLChen-007 YLChen-007 YLChen-007
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database