Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10,210 advisories

Loading
wger has Broken Access Control in Global Gym Configuration Update Endpoint High
CVE-2026-40474 was published for wger (pip) Apr 16, 2026
VashuVats Credited to VashuVats
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME High
GHSA-33r3-4whc-44c2 was published for vite-plus (npm) Apr 16, 2026
Jvr2022 Credited to Jvr2022
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
GHSA-47hf-23pw-3m8c was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
GHSA-75h4-c557-j89r was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
OpenRemote has XXE in Velbus Asset Import High
CVE-2026-40882 was published for io.openremote:openremote-manager (Maven) Apr 15, 2026
KKC73 Credited to KKC73
thin-vec: Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics High
GHSA-xphw-cqx3-667j was published for thin-vec (Rust) Apr 15, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header High
CVE-2026-33806 was published for fastify (npm) Apr 15, 2026
mcollina Credited to mcollina, climba03003, jsumners, and UlisesGascon climba03003 climba03003
jsumners jsumners UlisesGascon UlisesGascon
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex High
GHSA-pxq7-h93f-9jrg was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
rootxharsh Credited to rootxharsh
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
GHSA-2x79-gwq3-vxxm was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
Kiota: Code Generation Literal Injection High
GHSA-2hx3-vp6r-mg3f was published for kiota (NuGet) Apr 14, 2026
baywet Credited to baywet and gavinbarron gavinbarron gavinbarron
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
GHSA-66hx-chf7-3332 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
Microsoft Security Advisory CVE-2026-26171 – .NET Denial of Service Vulnerability High
CVE-2026-26171 was published for System.Security.Cryptography.Xml (NuGet) Apr 14, 2026
DylanW01 Credited to DylanW01
Microsoft Security Advisory CVE-2026-33116 – .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability High
CVE-2026-33116 was published for System.Security.Cryptography.Xml (NuGet) Apr 14, 2026
DylanW01 Credited to DylanW01
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
GHSA-pq8p-wc4f-vg7j was published for wwbn/avideo (Composer) Apr 14, 2026
Novu has a XSS sanitization bypass High
GHSA-26wg-9xf2-q495 was published for novu/api (npm) Apr 14, 2026
JorianWoltjer Credited to JorianWoltjer
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection High
GHSA-4x48-cgf9-q33f was published for @novu/api (npm) Apr 14, 2026
kodareef5 Credited to kodareef5
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL High
GHSA-j432-4w3j-3w8j was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
GHSA-ff5q-cc22-fgp4 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover High
GHSA-ccq9-r5cw-5hwq was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles High
GHSA-7jrq-q4pq-rhm6 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia affected by server crash via race condition in session heartbeat handling High
GHSA-5gqc-qhrj-9xw8 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia exposes bearer token in debug log messages on authentication failure High
GHSA-pm7q-rjjx-979p was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) High
GHSA-ffw8-fwxp-h64w was published for wwbn/avideo (Composer) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database