Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

225 advisories

Loading
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode Moderate
GHSA-wg4g-395p-mqv3 was published for n8n-mcp (npm) Apr 25, 2026
Mirr2 Credited to Mirr2
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests Moderate
CVE-2026-41495 was published for n8n-mcp (npm) Apr 23, 2026
S4nso Credited to S4nso
Apache Kafka exposes sensitive information in its DEBUG logs Moderate
CVE-2026-33558 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out) High
GHSA-f5v8-v6q3-q4h6 was published for Meridian.Mapping (NuGet) Apr 16, 2026
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
Apache Airflow: JWT token appearing in logs Moderate
CVE-2026-31987 was published for apache-airflow (pip) Apr 16, 2026
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
Oxia exposes bearer token in debug log messages on authentication failure High
CVE-2026-40945 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs Moderate
CVE-2026-40091 was published for github.com/authzed/spicedb (Go) Apr 14, 2026
miparnisari Credited to miparnisari
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI Moderate
CVE-2025-66236 was published for apache-airflow (pip) Apr 13, 2026
Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File High
CVE-2026-34487 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level Moderate
GHSA-fcmh-qfxc-w685 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Apr 8, 2026
offset Credited to offset
Apache Cassandra has sensitive Information Leak in cqlsh Moderate
CVE-2026-27315 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
Harbor: LDAP password and OIDC secret are not redacted in the audit log Moderate
GHSA-prh4-vhfh-24mj was published for github.com/goharbor/harbor (Go) Mar 26, 2026
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs Moderate
GHSA-xwcj-hwhf-h378 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens Moderate
GHSA-7h7g-x2px-94hj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua and woreksami woreksami woreksami
OneUptime: Password Reset Token Logged at INFO Level Moderate
CVE-2026-32598 was published for oneuptime (npm) Mar 13, 2026
n0rv-TvT Credited to n0rv-TvT
OliveTin's email argument makes compliance harder, enables log injection Moderate
GHSA-xx6g-43w2-9g6g was published for github.com/OliveTin/OliveTin (Go) Mar 12, 2026
fg0x0 Credited to fg0x0
Apache ZooKeeper has improper handling of configuration values High
CVE-2026-24308 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass Low
CVE-2026-29184 was published for @backstage/plugin-scaffolder-backend (npm) Mar 5, 2026
Rancher Backup Operator pod's logs leak S3 tokens Moderate
CVE-2025-62879 was published for github.com/rancher/backup-restore-operator (Go) Mar 3, 2026
Curio exposes database credentials to users with network access through verbose HTTP error responses High
GHSA-gj6x-q8rh-wj6x was published for github.com/filecoin-project/curio (Go) Feb 26, 2026
Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure Moderate
CVE-2026-27900 was published for github.com/linode/terraform-provider-linode (Go) Feb 26, 2026
Apache Airflow exposes sensitive information in its log files Moderate
CVE-2025-27555 was published for apache-airflow (pip) Feb 24, 2026
unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) Moderate
CVE-2026-25918 was published for @rage-against-the-pixel/unity-cli (npm) Feb 10, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database