Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10,020 advisories

Loading
Tornado has cookie attribute injection via .RequestHandler.set_cookie High
CVE-2026-35536 was published for tornado (pip) Apr 3, 2026
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
pyLoad: Improper Neutralization of Special Elements used in an OS Command High
CVE-2026-35463 was published for pyload-ng (pip) Apr 4, 2026
axel-corsiez Credited to axel-corsiez
libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion High
CVE-2026-35457 was published for libp2p-rendezvous (Rust) Apr 4, 2026
failuresmith Credited to failuresmith
libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers High
CVE-2026-35405 was published for libp2p-rendezvous (Rust) Apr 4, 2026
SilentSobs Credited to SilentSobs
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
GHSA-9jpj-g8vv-j5mf was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
Code Extension Marketplace: Zip Slip Path Traversal High
CVE-2026-35454 was published for github.com/coder/code-marketplace (Go) Apr 4, 2026
vamsik2k5 Credited to vamsik2k5
defu: Prototype pollution via `__proto__` key in defaults argument High
CVE-2026-35209 was published for defu (npm) Apr 4, 2026
BlackHatExploitation Credited to BlackHatExploitation and kricsleo kricsleo kricsleo
LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass High
CVE-2026-30762 was published for lightrag-hku (pip) Apr 4, 2026
Venkatatadu Credited to Venkatatadu
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite High
CVE-2026-35412 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import High
CVE-2026-35409 was published for directus (npm) Apr 4, 2026
alissonbezerra Credited to alissonbezerra and odgrso odgrso odgrso
Directus: Path Traversal and Broken Access Control in File Management API High
GHSA-393c-p46r-7c95 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Keycloak: Application-Level DoS via Scope Processing High
CVE-2026-4634 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants High
CVE-2026-4636 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint High
CVE-2026-3872 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw High
CVE-2026-4282 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
scaly: Multiple soundness issues in Rust safe APIs High
GHSA-2c6h-4899-wjxr was published for scaly (Rust) Apr 4, 2026
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url High
CVE-2026-35394 was published for @mobilenext/mobile-mcp (npm) Apr 4, 2026
manthanghasadiya Credited to manthanghasadiya
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags High
GHSA-5jg4-p4qw-cgfr was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding High
GHSA-w48f-fwg7-ww6p was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database