Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,868 advisories

Loading
Duplicate Advisory: Cache poisoning via insecure-by-default cache key High
GHSA-2m8c-2374-465f was published for pingora-cache (Rust) Mar 5, 2026 withdrawn
pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT Critical
CVE-2026-29000 was published for org.pac4j:pac4j-jwt (Maven) Mar 5, 2026
fritzdal Credited to fritzdal
Multer Vulnerable to Denial of Service via Uncontrolled Recursion High
CVE-2026-3520 was published for multer (npm) Mar 5, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, ctcpip, and UlisesGascon ctcpip ctcpip
UlisesGascon UlisesGascon
Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers Low
CVE-2026-29781 was published for github.com/bishopfox/sliver (Go) Mar 5, 2026
skoveit Credited to skoveit
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass Low
CVE-2026-29184 was published for @backstage/plugin-scaffolder-backend (npm) Mar 5, 2026
Backstage vulnerable to potential reading of SCM URLs using built in token Low
CVE-2026-29185 was published for @backstage/integration (npm) Mar 5, 2026
eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write Moderate
CVE-2026-29780 was published for eml-parser (pip) Mar 5, 2026
redyank Credited to redyank
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution High
CVE-2026-29186 was published for @backstage/plugin-techdocs-node (npm) Mar 5, 2026
Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows High
CVE-2025-15558 was published for github.com/docker/cli (Go) Mar 5, 2026
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) High
CVE-2026-29074 was published for svgo (npm) Mar 4, 2026
ByamB4 Credited to ByamB4 and isaacs isaacs isaacs
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover High
CVE-2026-29192 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication High
CVE-2026-29193 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Critical
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint High
CVE-2026-29771 was published for github.com/gravitl/netmaker (Go) Mar 4, 2026
m4dn355 Credited to m4dn355
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
Fickling missing RCE-capable modules in UNSAFE_IMPORTS High
GHSA-5hwf-rc88-82xm was published for fickling (pip) Mar 4, 2026
yash2998chhabria Credited to yash2998chhabria
Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked High
GHSA-wccx-j62j-r448 was published for fickling (pip) Mar 4, 2026
mldangelo Credited to mldangelo
changedetection.io has Zip Slip vulnerability in the backup restore functionality High
CVE-2026-29065 was published for changedetection.io (pip) Mar 4, 2026
pussycat0x Credited to pussycat0x and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Immutable is vulnerable to Prototype Pollution High
CVE-2026-29063 was published for immutable (npm) Mar 4, 2026
davkharrr Credited to davkharrr and FeBe95 FeBe95 FeBe95
jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion High
CVE-2026-29062 was published for tools.jackson.core:jackson-core (Maven) Mar 4, 2026
sprabhav7 Credited to sprabhav7 and rohan-repos rohan-repos rohan-repos
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) High
CVE-2026-29054 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
1seal Credited to 1seal
`time_calibrators` was removed from crates.io due to malicious code Critical
GHSA-wf45-3gpw-vrqv was published for time_calibrators (Rust) Mar 4, 2026
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation High
CVE-2026-29042 was published for github.com/nuclio/nuclio (Go) Mar 4, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text() High
CVE-2026-29039 was published for changedetection.io (pip) Mar 4, 2026
DhiyaneshGeek Credited to DhiyaneshGeek and neo-ai-engineer neo-ai-engineer neo-ai-engineer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database