Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,008 advisories

Loading
python-multipart affected by Denial of Service via large multipart preamble or epilogue data Moderate
CVE-2026-40347 was published for python-multipart (pip) Apr 15, 2026
HamdaanAliQuatil Credited to HamdaanAliQuatil and defnull defnull defnull
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins Moderate
CVE-2026-40346 was published for @nocobase/plugin-workflow-request (npm) Apr 15, 2026
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket Moderate
GHSA-xp4f-g2cm-rhg7 was published for pocketmine/pocketmine-mp (Composer) Apr 15, 2026
DrakzoSurYT Credited to DrakzoSurYT and dktapps dktapps dktapps
pypdf has long runtimes for wrong size values in cross-reference and object streams Moderate
GHSA-jj6c-8h6c-hppx was published for pypdf (pip) Apr 15, 2026
alpakalee Credited to alpakalee and stefan6419846 stefan6419846 stefan6419846
OpenRemote has XXE in Velbus Asset Import High
CVE-2026-40882 was published for io.openremote:openremote-manager (Maven) Apr 15, 2026
KKC73 Credited to KKC73
thin-vec: Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics High
GHSA-xphw-cqx3-667j was published for thin-vec (Rust) Apr 15, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header High
CVE-2026-33806 was published for fastify (npm) Apr 15, 2026
mcollina Credited to mcollina, climba03003, jsumners, and UlisesGascon climba03003 climba03003
jsumners jsumners UlisesGascon UlisesGascon
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex High
GHSA-pxq7-h93f-9jrg was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
rootxharsh Credited to rootxharsh
OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims Moderate
CVE-2026-40574 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
kodareef5 Credited to kodareef5
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache Moderate
GHSA-xmj9-7625-f634 was published for dev.dsf:dsf-bpe-process-api-v2 (Maven) Apr 15, 2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
GHSA-gj7p-595x-qwf5 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Sync-in Server has Username Enumeration via Timing Attack Moderate
GHSA-43fj-qp3h-hrh5 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
Defense in Depth update for NuGet Client Low
GHSA-g4vj-cjjj-v7hg was published for NuGet.CommandLine (NuGet) Apr 14, 2026
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
GHSA-2x79-gwq3-vxxm was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
Kiota: Code Generation Literal Injection High
GHSA-2hx3-vp6r-mg3f was published for kiota (NuGet) Apr 14, 2026
baywet Credited to baywet and gavinbarron gavinbarron gavinbarron
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
GHSA-66hx-chf7-3332 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
GHSA-95wr-3f2v-v2wh was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
GHSA-3m9m-24vh-39wx was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action Moderate
GHSA-jq2f-59pj-p3m3 was published for craftcms/cms (Composer) Apr 14, 2026
kaminuma Credited to kaminuma
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses Low
GHSA-hw5x-4r37-72w7 was published for github.com/opentofu/opentofu (Go) Apr 14, 2026
DotNetNuke.Core security code analysis rules triggered Low
GHSA-fcpv-w245-r2q7 was published for DotNetNuke.Core (NuGet) Apr 14, 2026
bdukes Credited to bdukes and valadas valadas valadas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database