Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,115
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,417
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,229 advisories

Loading
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString() Moderate
CVE-2026-50193 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
deniz-husaj Credited to deniz-husaj and cowtowncoder cowtowncoder cowtowncoder
Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion) Moderate
CVE-2026-52814 was published for gogs.io/gogs (Go) Jun 23, 2026
M0oo0ry Credited to M0oo0ry
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery High
GHSA-74p7-6h78-gw8p was published for skillctl (Rust) Jun 22, 2026
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size Moderate
GHSA-4xgf-cpjx-pc3j was published for pydantic-settings (pip) Jun 19, 2026
Faze-up Credited to Faze-up
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read` High
GHSA-xcqx-9jf5-w339 was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
Langflow: Unauthenticated DoS through multipart form boundary file upload High
CVE-2026-55446 was published for langflow (pip) Jun 19, 2026
ethansilvas Credited to ethansilvas, AntonioABLima, and andifilhohub AntonioABLima AntonioABLima
andifilhohub andifilhohub
Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit High
GHSA-8823-qg2x-pv9f was published for ultimate-sitemap-parser (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake High
CVE-2026-54772 was published for CoreWCF.NetFramingBase (NuGet) Jun 19, 2026
containerd image-triggered runtime DoS via unbounded group parsing Moderate
CVE-2026-47262 was published for github.com/containerd/containerd (Go) Jun 19, 2026
jake-ciolek Credited to jake-ciolek and kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service High
GHSA-3prj-6hqw-cm82 was published for web-token/jwt-framework (Composer) Jun 18, 2026
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass High
CVE-2026-9675 was published for undici (npm) Jun 18, 2026
mauriceng98 Credited to mauriceng98, Str1ckl4nd, mcollina, and UlisesGascon Str1ckl4nd Str1ckl4nd
mcollina mcollina UlisesGascon UlisesGascon
JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables High
GHSA-47qp-hqvx-6r3f was published for org.jline:jline-remote-telnet (Maven) Jun 18, 2026
sectroyer Credited to sectroyer
JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry High
GHSA-2r2c-cx56-8933 was published for org.jline:jline-remote-telnet (Maven) Jun 18, 2026
sectroyer Credited to sectroyer
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
pypdf: Possible large memory usage for form XObjects during text extraction Moderate
CVE-2026-49461 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length High
CVE-2026-50011 was published for io.netty:netty-codec-redis (Maven) Jun 15, 2026
violetagg Credited to violetagg
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations Moderate
CVE-2026-48988 was published for markdown-it (npm) Jun 15, 2026
tndud042713 Credited to tndud042713
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service High
CVE-2026-53539 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` Moderate
CVE-2026-48125 was published for ua-parser-js (npm) Jun 15, 2026
sondt99 Credited to sondt99
Microsoft Security Advisory CVE-2026-45591 – ASP.NET Core Denial of Service Vulnerability High
CVE-2026-45591 was published for Microsoft.AspNetCore.App.Runtime.linux-x64 (NuGet) Jun 15, 2026
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS Moderate
CVE-2026-48525 was published for pyjwt (pip) Jun 15, 2026
thesmartshadow Credited to thesmartshadow
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate) High
CVE-2026-54268 was published for @angular/common (npm) Jun 15, 2026
JeanMeche Credited to JeanMeche, alan-agius4, SkyZeroZx, and josephperrott alan-agius4 alan-agius4
SkyZeroZx SkyZeroZx josephperrott josephperrott
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database