GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,461 advisories
Filter by severity
Keystone: GraphQL API Endpoint Lacks Query Depth Limits
Low
CVE-2026-10802
was published
for
@keystone-6/core
(npm)
Jun 4, 2026
ms-swift: Image Cache Hash Collision via Missing Dimension Metadata
Low
CVE-2026-10801
was published
for
ms-swift
(pip)
Jun 4, 2026
Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__
Low
CVE-2026-54335
was published
for
@feathersjs/commons
(npm)
Jul 14, 2026
Gradio: Audio cache key ignores metadata when saving numpy audio outputs
Low
CVE-2026-10783
was published
for
gradio
(pip)
Jun 4, 2026
mlrun: DataFrame hash collisions can cause dataset artifact path conflicts and silent data corruption
Low
CVE-2026-10766
was published
for
mlrun
(pip)
Jun 3, 2026
Wasmtime: Memory leak in C API with `externref` and `anyref` types
Low
CVE-2025-61670
was published
for
wasmtime-bin
(pip)
Jul 14, 2026
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake
Low
CVE-2026-7666
was published
for
django
(pip)
Jun 3, 2026
daphne: WebSocket handshake header smuggling through autobahn splitlines() mishandling of non-standard line separators
Low
CVE-2026-44546
was published
for
daphne
(pip)
Jun 3, 2026
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login
Low
CVE-2026-48589
was published
for
org.apache.shiro:shiro-jakarta-ee
(Maven)
May 26, 2026
Code Index MCP is vulnerable to Uncontrolled Resource Consumption
Low
CVE-2026-10692
was published
for
code-index-mcp
(pip)
Jun 3, 2026
DesktopCommanderMCP is vulnerable to SSRF
Low
CVE-2026-10690
was published
for
@wonderwhy-er/desktop-commander
(npm)
Jun 3, 2026
DesktopCommanderMCP is vulnerable to Uncontrolled Resource Consumption
Low
CVE-2026-10691
was published
for
@wonderwhy-er/desktop-commander
(npm)
Jun 3, 2026
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values
Low
CVE-2026-48598
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`
Low
CVE-2026-48596
was published
for
tesla
(Erlang)
Jul 10, 2026
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target`
Low
CVE-2026-48861
was published
for
mint
(Erlang)
Jul 9, 2026
hermes-agent has an Injection issue
Low
CVE-2026-10222
was published
for
hermes-agent
(pip)
Jun 1, 2026
Apache Airflow has an Incorrect Authorization issue
Low
CVE-2026-45426
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has an Improper Authorization issue
Low
CVE-2026-40963
was published
for
apache-airflow
(pip)
Jun 1, 2026
FoundationAgents MetaGPT: Deserialization through flawed argument mapping via Message.check_instruct_content()
Low
CVE-2026-10566
was published
for
metagpt
(pip)
Jun 2, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
SGLang: Reachable Assertion via lora_path in LoRAManager enables remote Denial of Dervice
Low
CVE-2026-10300
was published
for
sglang
(pip)
Jun 2, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
Logback vulnerable to Object Injection through HardenedObjectInputStream modules
Low
CVE-2026-10532
was published
for
ch.qos.logback:logback-core
(Maven)
Jun 1, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Low
CVE-2026-46342
was published
for
@nuxt/nitro-server
(npm)
May 19, 2026
ProTip!
Advisories are also available from the
GraphQL API