Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,080
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,412
Swift
61
Unreviewed advisories
All unreviewed
5,000+

3,632 advisories

Loading
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size Moderate
GHSA-4xgf-cpjx-pc3j was published for pydantic-settings (pip) Jun 19, 2026
Faze-up Credited to Faze-up
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read` High
GHSA-xcqx-9jf5-w339 was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (... High Unreviewed
CVE-2026-9375 was published Jun 19, 2026
Langflow: Unauthenticated DoS through multipart form boundary file upload High
CVE-2026-55446 was published for langflow (pip) Jun 19, 2026
ethansilvas Credited to ethansilvas, AntonioABLima, and andifilhohub AntonioABLima AntonioABLima
andifilhohub andifilhohub
Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit High
GHSA-8823-qg2x-pv9f was published for ultimate-sitemap-parser (pip) Jun 19, 2026
CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake High
CVE-2026-54772 was published for CoreWCF.NetFramingBase (NuGet) Jun 19, 2026
containerd image-triggered runtime DoS via unbounded group parsing Moderate
CVE-2026-47262 was published for github.com/containerd/containerd (Go) Jun 19, 2026
jake-ciolek Credited to jake-ciolek and kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a... Moderate Unreviewed
CVE-2026-48937 was published Jun 18, 2026
PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service High
GHSA-3prj-6hqw-cm82 was published for web-token/jwt-framework (Composer) Jun 18, 2026
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass High
CVE-2026-9675 was published for undici (npm) Jun 18, 2026
mauriceng98 Credited to mauriceng98, Str1ckl4nd, mcollina, and UlisesGascon Str1ckl4nd Str1ckl4nd
mcollina mcollina UlisesGascon UlisesGascon
JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables High
GHSA-47qp-hqvx-6r3f was published for org.jline:jline-remote-telnet (Maven) Jun 18, 2026
sectroyer Credited to sectroyer
JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry High
GHSA-2r2c-cx56-8933 was published for org.jline:jline-remote-telnet (Maven) Jun 18, 2026
sectroyer Credited to sectroyer
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm... Critical Unreviewed
CVE-2026-28575 was published Jun 17, 2026
In multiple places, there is a possible persistent denial of service due to resource exhaustion.... Critical Unreviewed
CVE-2026-0064 was published Jun 17, 2026
Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server:... High Unreviewed
CVE-2026-46863 was published Jun 17, 2026
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager... High Unreviewed
CVE-2026-46866 was published Jun 17, 2026
Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). ... High Unreviewed
CVE-2026-46862 was published Jun 17, 2026
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox... Moderate Unreviewed
CVE-2026-12325 was published Jun 16, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox... Moderate Unreviewed
CVE-2026-12319 was published Jun 16, 2026
pypdf: Possible large memory usage for form XObjects during text extraction Moderate
CVE-2026-49461 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers... High Unreviewed
CVE-2026-50879 was published Jun 15, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database