Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,080
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,412
Swift
61
Unreviewed advisories
All unreviewed
5,000+

418 advisories

Loading
ReDoS in DotVVM routing High
GHSA-c2g3-c4gc-w5wg was published for DotVVM (NuGet) Jun 19, 2026
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS High
CVE-2026-55470 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning Moderate
GHSA-g75f-g53v-794x was published for bleach (pip) Jun 16, 2026
0xHunSec Credited to 0xHunSec
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` Moderate
CVE-2026-48125 was published for ua-parser-js (npm) Jun 15, 2026
sondt99 Credited to sondt99
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate) High
CVE-2026-54268 was published for @angular/common (npm) Jun 15, 2026
JeanMeche Credited to JeanMeche, alan-agius4, SkyZeroZx, and josephperrott alan-agius4 alan-agius4
SkyZeroZx SkyZeroZx josephperrott josephperrott
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an... Low Unreviewed
CVE-2026-41848 was published Jun 9, 2026
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection High
CVE-2026-44496 was published for axios (npm) Jun 4, 2026
August829 Credited to August829
Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server... High Unreviewed
CVE-2026-8888 was published Jun 3, 2026
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS Low
CVE-2026-45756 was published for symfony/json-path (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois and unknownhad unknownhad unknownhad
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex High
CVE-2026-45617 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the... High Unreviewed
CVE-2026-9496 was published May 26, 2026
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix Moderate
CVE-2026-45409 was published for idna (pip) May 19, 2026
StanFromIreland Credited to StanFromIreland and kjd kjd kjd
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-45367 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) May 18, 2026
offset Credited to offset
multiparty vulnerable to ReDoS via filename parsing High
CVE-2026-8159 was published for multiparty (npm) May 18, 2026
aszx87410 Credited to aszx87410, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
Svelte: ReDoS in `<svelte:element>` Tag Validation Moderate
CVE-2026-42567 was published for svelte (npm) May 14, 2026
Meltedd Credited to Meltedd, dummdidumm, and elliott-with-the-longest-name-on-github dummdidumm dummdidumm
elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS) Moderate
CVE-2026-44796 was published for nautobot (pip) May 13, 2026
whatisproblem Credited to whatisproblem
ShellHub has crash-DoS via field injection in filter and sort-by parameters Moderate
CVE-2026-44425 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
Nokogiri CSS selector tokenizer has regular expression backtracking High
GHSA-c4rq-3m3g-8wgx was published for nokogiri (RubyGems) May 6, 2026
colby-swandale Credited to colby-swandale and flavorjones flavorjones flavorjones
Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input High
CVE-2026-33079 was published for mistune (pip) May 6, 2026
kq5y Credited to kq5y
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via... High Unreviewed
CVE-2026-41040 was published Apr 23, 2026
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths High
CVE-2026-39320 was published for signalk-server (npm) Apr 21, 2026
VashuVats Credited to VashuVats
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database