Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

26,046 advisories

Loading
MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability Moderate
CVE-2026-25905 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions High
CVE-2026-1615 was published for jsonpath (npm) Feb 9, 2026
saivarun3407
Credited to saivarun3407
mcp-maigret vulnerable to command injection Moderate
CVE-2026-2130 was published for mcp-maigret (npm) Feb 8, 2026
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0
Credited to xtle0o0
Antrea has invalid enforcement order for network policy rules caused by integer overflow High
CVE-2026-25804 was published for antrea.io/antrea (Go) Feb 6, 2026
antoninbas Dyanngg
Credited to antoninbas and Dyanngg
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Death-Incarnate
Credited to saivarun3407 and Death-Incarnate
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal
Credited to 1seal
Duplicate Advisory: Keylime Missing Authentication for Critical Function and Improper Authentication Critical
GHSA-27jc-jmp8-qfw5 was published for keylime (pip) Feb 6, 2026 withdrawn
`uniswap-utils` was removed from crates.io for malicious code Critical
GHSA-x468-phr8-h3p3 was published for uniswap-utils (Rust) Feb 6, 2026
`sha-rust` was removed from crates.io for malicious code Critical
GHSA-3mmg-7c2q-8938 was published for sha-rust (Rust) Feb 6, 2026
`finch-rust` was removed from crates.io for malicious code Critical
GHSA-f8h5-x737-x4xr was published for finch-rust (Rust) Feb 6, 2026
`polymarket-clients-sdk` was removed from crates.io for malicious code Critical
GHSA-382q-fpqh-29f7 was published for polymarket-clients-sdk (Rust) Feb 6, 2026
`evm-units` was removed from crates.io for malicious code Critical
GHSA-6662-54xr-8423 was published for evm-units (Rust) Feb 6, 2026
Blocklist Bypass possible via ECDSA Signature Malleability High
CVE-2026-25793 was published for github.com/slackhq/nebula (Go) Feb 6, 2026
mrtufan
Credited to mrtufan
AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection High
CVE-2026-25762 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
ZeroXJacks
Credited to ZeroXJacks
Gogs has authorization bypass in repository deletion API Moderate
CVE-2025-65852 was published for gogs.io/gogs (Go) Feb 6, 2026
Yannis175
Credited to Yannis175
Gogs vulnerable to Stored XSS via Mermaid diagrams High
GHSA-26gq-grmh-6xm6 was published for gogs.io/gogs (Go) Feb 6, 2026
jdomeracki
Credited to jdomeracki
A single post-release of dydx-v4-client contained obfuscated multi-stage loader Critical
GHSA-4f84-67cv-qrv3 was published for dydx-v4-client (pip) Feb 6, 2026
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values High
GHSA-w67g-2h6v-vjgq was published for phlex (RubyGems) Feb 6, 2026
AdonisJS multipart body parsing has Prototype Pollution issue High
CVE-2026-25754 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
RomainLanz
Credited to RomainLanz
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions High
CVE-2026-25723 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection High
CVE-2026-25722 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
[actix-files] Panic triggered by empty Range header in GET request for static file Moderate
GHSA-gcqf-3g44-vc9p was published for actix-files (Rust) Feb 6, 2026
Diomendius JohnTitor
Credited to Diomendius and JohnTitor
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database