GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,461 advisories
Filter by severity
Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__
Low
CVE-2026-54335
was published
for
@feathersjs/commons
(npm)
Jul 14, 2026
Wasmtime: Memory leak in C API with `externref` and `anyref` types
Low
CVE-2025-61670
was published
for
wasmtime-bin
(pip)
Jul 14, 2026
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values
Low
CVE-2026-48598
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`
Low
CVE-2026-48596
was published
for
tesla
(Erlang)
Jul 10, 2026
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target`
Low
CVE-2026-48861
was published
for
mint
(Erlang)
Jul 9, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Low
GHSA-cwv4-h3j5-w3cf
was published
for
rama
(Rust)
Jul 7, 2026
Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection
Low
GHSA-gq4g-fpc9-vjfq
was published
for
web-auth/webauthn-lib
(Composer)
Jul 7, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Low
GHSA-2vg6-77g8-24mp
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
netfoil: Attacker controlled data written to logs
Low
GHSA-7856-g3gv-9wq8
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a resource leak in LRU cache
Low
GHSA-3g4q-2f67-2gvh
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
cut: -s ignored in -z -d '' newline-delimiter mode
Low
CVE-2026-35381
was published
for
uu_cut
(Rust)
Jul 6, 2026
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)
Low
CVE-2026-35361
was published
for
uu_mknod
(Rust)
Jul 6, 2026
Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)
Low
CVE-2026-55630
was published
for
kiwitcms
(pip)
Jul 6, 2026
Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases
Low
CVE-2026-53759
was published
for
linuxfabrik-lib
(pip)
Jul 6, 2026
uucore: safe_traversal TOCTOU protection only enabled on Linux
Low
CVE-2026-35362
was published
for
uucore
(Rust)
Jul 6, 2026
mkdir: -m exposes directory with umask perms before chmod (race window)
Low
CVE-2026-35353
was published
for
uu_mkdir
(Rust)
Jul 6, 2026
id: pretty-print uses effective GID instead of effective UID for name lookup
Low
CVE-2026-35371
was published
for
uu_id
(Rust)
Jul 6, 2026
cut: -s (only-delimited) ignored when delimiter is a newline
Low
CVE-2026-35343
was published
for
uu_cut
(Rust)
Jul 6, 2026
ln: rejects non-UTF-8 source filenames in target-directory mode
Low
CVE-2026-35373
was published
for
uu_ln
(Rust)
Jul 6, 2026
comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output
Low
CVE-2026-35346
was published
for
uu_comm
(Rust)
Jul 6, 2026
mktemp: empty TMPDIR creates temp files in CWD instead of /tmp
Low
CVE-2026-35342
was published
for
uu_mktemp
(Rust)
Jul 6, 2026
Kiwi TCMS's /init-db/ page renders and responds to requests after first use
Low
CVE-2026-49292
was published
for
kiwitcms
(pip)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API