Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

258 advisories

Loading
webpki: Name constraints were accepted for certificates asserting a wildcard name Low
GHSA-xgp8-3hg3-c2mh was published for rustls-webpki (Rust) Apr 16, 2026
1seal Credited to 1seal
webpki: Name constraints for URI names were incorrectly accepted Low
GHSA-965h-392x-2mh5 was published for rustls-webpki (Rust) Apr 16, 2026
1seal Credited to 1seal
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles High
GHSA-7jrq-q4pq-rhm6 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Sigstore Timestamp Authority has Improper Certificate Validation in verifier Moderate
CVE-2026-39984 was published for github.com/sigstore/timestamp-authority/v2 (Go) Apr 14, 2026
jku Credited to jku
rfc3161-client Has Improper Certificate Validation Moderate
CVE-2026-33753 was published for rfc3161-client (pip) Apr 8, 2026
Jaynornj Credited to Jaynornj
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation High
CVE-2026-4740 was published for open-cluster-management.io/ocm (Go) Apr 7, 2026
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster Critical
CVE-2026-4370 was published for github.com/juju/juju (Go) Apr 2, 2026
hpidcock Credited to hpidcock, tlm, manadart, and wallyworld tlm tlm
manadart manadart wallyworld wallyworld
Tesla Fleet Telemetry allows spoofing telemetry for arbitrary vehicles via compromised vehicle credentials Moderate
GHSA-prxj-3gcv-cqrh was published for github.com/teslamotors/fleet-telemetry (Go) Apr 1, 2026
yueyueL Credited to yueyueL
Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange Moderate
CVE-2026-32794 was published for apache-airflow (pip) Mar 31, 2026
cryptography has incomplete DNS name constraint enforcement on peer names Low
CVE-2026-34073 was published for cryptography (pip) Mar 27, 2026
1seal Credited to 1seal and woodruffw woodruffw woodruffw
Incus does not verify combined fingerprint when downloading images from simplestreams servers High
CVE-2026-33542 was published for github.com/lxc/incus/v6/client (Go) Mar 27, 2026
wl2018 Credited to wl2018 and stgraber stgraber stgraber
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) High
CVE-2026-33896 was published for node-forge (npm) Mar 26, 2026
peaktwilight Credited to peaktwilight
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching Moderate
CVE-2026-33248 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
CRL Distribution Point Scope Check Logic Error in AWS-LC High
GHSA-9f94-5g5w-gf6r was published for aws-lc-fips-sys (Rust) Mar 20, 2026
AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN High
GHSA-394x-vwmw-crm3 was published for aws-lc-sys (Rust) Mar 20, 2026
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) Critical
CVE-2026-30836 was published for github.com/smallstep/certificates (Go) Mar 19, 2026
PrasanthSundararajan69 Credited to PrasanthSundararajan69
Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121 Moderate
GHSA-594f-3595-c47v was published for github.com/argoproj-labs/terraform-provider-argocd (Go) Mar 18, 2026
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go Critical
GHSA-j443-wcqq-xprh was published for github.com/arslanbekov/terraform-provider-sendgrid (Go) Mar 11, 2026
aiell0 Credited to aiell0
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager High
CVE-2026-24281 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
kascit Credited to kascit
OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation) Moderate
GHSA-2mc2-g238-722j was published for openclaw (npm) Mar 3, 2026
allsmog Credited to allsmog
AWS-LC has PKCS7_verify Certificate Chain Validation Bypass High
GHSA-vw5v-4f2q-w9xf was published for aws-lc-sys (Rust) Mar 3, 2026
yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent High
CVE-2025-70058 was published for yapi-vendor (npm) Feb 23, 2026
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped Low
CVE-2026-24122 was published for github.com/sigstore/cosign (Go) Feb 19, 2026
1seal Credited to 1seal
Apache Tomcat - Client certificate verification bypass Moderate
CVE-2025-66614 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Credited to saivarun3407 and Death-Incarnate Death-Incarnate Death-Incarnate
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database