Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,215 advisories

Loading
podman kube play symlink traversal vulnerability High
CVE-2025-9566 was published for github.com/containers/podman/v4 (Go) Sep 4, 2025
Luap99 Credited to Luap99
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI Critical
GHSA-9qhq-v63v-fv3j was published for praisonai (pip) Apr 17, 2026
decsecre583 Credited to decsecre583
OpenClaw: busybox and toybox applet execution weakened exec approval binding High
GHSA-2cq5-mf3v-mx44 was published for openclaw (npm) Apr 17, 2026
decsecre583 Credited to decsecre583
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
GHSA-xjvp-7243-rg9h was published for charm.land/wish/v2 (Go) Apr 18, 2026
evnsh Credited to evnsh and aymanbagabas aymanbagabas aymanbagabas
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload High
CVE-2026-40321 was published for DotNetNuke.Core (NuGet) Apr 10, 2026
bdukes Credited to bdukes, valadas, and mbadanoiu valadas valadas
mbadanoiu mbadanoiu
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
GHSA-qrr6-mg7r-m243 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Critical
GHSA-8m29-fpq5-89jj was published for zebra-script (Rust) Apr 18, 2026
conradoplg Credited to conradoplg, mpguerra, and sangsoo-osec mpguerra mpguerra
sangsoo-osec sangsoo-osec
Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients Moderate
GHSA-29x4-r6jv-ff4w was published for zebra-rpc (Rust) Apr 18, 2026
upbqdn Credited to upbqdn, mpguerra, and conradoplg mpguerra mpguerra
conradoplg conradoplg
Zebra has rk Identity Point Panic in Transaction Verification Critical
GHSA-452v-w3gx-72wg was published for zebra-chain (Rust) Apr 18, 2026
mpguerra Credited to mpguerra
NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring() High
CVE-2026-0846 was published for nltk (pip) Mar 9, 2026
MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade Moderate
GHSA-9j88-vvj5-vhgr was published for MailKit (NuGet) Apr 18, 2026
ROCmertakdag Credited to ROCmertakdag
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
GHSA-cjcx-jfp2-f7m2 was published for pretalx (pip) Apr 18, 2026
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
GHSA-jm8c-9f3j-4378 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations High
GHSA-mjw2-v2hm-wj34 was published for dagster (pip) Apr 18, 2026
alexwaira Credited to alexwaira, vyprsec-research, and romain-deperne vyprsec-research vyprsec-research
romain-deperne romain-deperne
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields Moderate
CVE-2026-6437 was published for github.com/kubernetes-sigs/aws-efs-csi-driver (Go) Apr 18, 2026
Bouncy Castle Uncontrolled Resource Consumption vulnerability High
CVE-2026-3505 was published for org.bouncycastle:bcpg-jdk12 (Maven) Apr 17, 2026
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
OpenTelemetry .NET has potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path Moderate
CVE-2026-41078 was published for OpenTelemetry.Exporter.Jaeger (NuGet) Apr 18, 2026
Kielek Credited to Kielek and arminru arminru arminru
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
goldmark vulnerable to Cross-site Scripting (XSS) Moderate
CVE-2026-5160 was published for github.com/yuin/goldmark/renderer/html (Go) Apr 17, 2026
Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php High
CVE-2019-25710 was published for dolibarr/dolibarr (Composer) Apr 12, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
GHSA-f58v-p6j9-24c2 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database