Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

197 advisories

Loading
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation Critical
CVE-2026-33471 was published for nimiq-block (Rust) Apr 22, 2026
1seal Credited to 1seal
Brillig: Heap corruption in foreign call results with nested tuple arrays Critical
CVE-2026-41197 was published for brillig (Rust) Apr 21, 2026
Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Critical
GHSA-8m29-fpq5-89jj was published for zebra-script (Rust) Apr 18, 2026
conradoplg Credited to conradoplg, mpguerra, and sangsoo-osec mpguerra mpguerra
sangsoo-osec sangsoo-osec
Zebra has rk Identity Point Panic in Transaction Verification Critical
GHSA-452v-w3gx-72wg was published for zebra-chain (Rust) Apr 18, 2026
conradoplg Credited to conradoplg and mpguerra mpguerra mpguerra
nimiq-blockchain is missing a wall-clock upper bound on block timestamps Critical
CVE-2026-40093 was published for nimiq-blockchain (Rust) Apr 10, 2026
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access Critical
CVE-2026-34987 was published for wasmtime (Rust) Apr 10, 2026
shumbo Credited to shumbo, bholley, and deian bholley bholley
deian deian
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift Critical
CVE-2026-34971 was published for wasmtime (Rust) Apr 9, 2026
shumbo Credited to shumbo, bholley, and deian bholley bholley
deian deian
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
Zebra node crash — V5 transaction hash panic (P2P reachable) Critical
CVE-2026-34202 was published for zebra-chain (Rust) Mar 27, 2026
robustfengbin Credited to robustfengbin, arya2, conradoplg, upbqdn, mpguerra, and alchemydc arya2 arya2
conradoplg conradoplg upbqdn upbqdn mpguerra mpguerra alchemydc alchemydc
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface Critical
CVE-2026-30960 was published for rssn (Rust) Mar 10, 2026
panayang Credited to panayang
`time-sync` was removed from crates.io due to malicious code Critical
GHSA-mh23-rw7f-v5pq was published for time-sync (Rust) Mar 5, 2026
Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
CVE-2026-2835 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Critical
CVE-2026-2833 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
`dnp3times` was removed from crates.io due to malicious code Critical
GHSA-xhw7-jhmp-j62j was published for dnp3times (Rust) Mar 5, 2026
zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards Critical
GHSA-5wp8-q9mx-8jx8 was published for zeptoclaw (Rust) Mar 5, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade Critical
GHSA-f9v3-j2m7-4hpg was published for pingora-core (Rust) Mar 5, 2026 withdrawn
Duplicate Advisory: HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
GHSA-262p-vjx5-45xh was published for pingora-core (Rust) Mar 5, 2026 withdrawn
`time_calibrators` was removed from crates.io due to malicious code Critical
GHSA-wf45-3gpw-vrqv was published for time_calibrators (Rust) Mar 4, 2026
`time_calibrator` was removed from crates.io due to malicious code Critical
GHSA-77xj-rrh3-wx3v was published for time_calibrator (Rust) Mar 4, 2026
`tracing-check` was removed from crates.io for malicious code Critical
GHSA-5pmp-jpcf-pwx6 was published for tracing-check (Rust) Mar 2, 2026
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga Credited to naoyashiga
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
`sha-rst` was removed from crates.io for malicious code Critical
GHSA-vgr2-r5hm-f6gf was published for sha-rst (Rust) Feb 12, 2026
`finch_cli_rust` was removed from crates.io for malicious code Critical
GHSA-6v2j-vr4h-f632 was published for finch_cli_rust (Rust) Feb 12, 2026
`finch-rst` was removed from crates.io for malicious code Critical
GHSA-xp79-9mxw-878j was published for finch-rst (Rust) Feb 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database