GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,323
Maven
5,000+
npm
5,000+
NuGet
1,031
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,494
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,317 advisories
Filter by severity
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
High
CVE-2026-44492
was published
for
axios
(npm)
May 29, 2026
golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Critical
CVE-2026-46595
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys
Critical
CVE-2026-39832
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status
Critical
CVE-2026-42508
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Moderate
CVE-2026-39835
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses
Critical
CVE-2026-39830
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS
High
CVE-2026-39829
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions
Moderate
CVE-2026-39828
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
High
CVE-2026-44827
was published
for
diffusers
(pip)
May 7, 2026
•
withdrawn
container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command
Low
GHSA-39g5-644c-qwcg
was published
for
github.com/apple/container
(Swift)
May 7, 2026
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator
Critical
CVE-2026-47156
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation)
Low
CVE-2026-58196
was published
for
github.com/stacklok/toolhive
(Go)
Jul 15, 2026
bytedance InfiniStore: Denial of Service via Non-Cryptographic Hashing in InfiniStore KV Map
Low
CVE-2026-11312
was published
for
infinistore
(pip)
Jun 5, 2026
adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files
Moderate
GHSA-xg43-5579-qw6v
was published
for
adawolfa/isdoc
(Composer)
Jul 15, 2026
OpenStack Ironic: Crafted JSON String to Certain Endpoints on the API or JSON-RPC Service May Result in Service Crash
Moderate
CVE-2026-50589
was published
for
ironic
(pip)
Jun 5, 2026
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default
High
CVE-2026-54504
was published
for
@andrea9293/mcp-documentation-server
(npm)
Jul 15, 2026
systeminformation: OS command injection in networkInterfaces() via interfaces(5) source-directive path on Linux
High
CVE-2026-50289
was published
for
systeminformation
(npm)
Jul 15, 2026
Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback
High
CVE-2026-50285
was published
for
github.com/pomerium/pomerium
(Go)
Jul 15, 2026
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50276
was published
for
datadog
(RubyGems)
Jul 15, 2026
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50274
was published
for
github.com/DataDog/dd-trace-go
(Go)
Jul 15, 2026
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50273
was published
for
Datadog.Trace
(NuGet)
Jul 15, 2026
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50272
was published
for
dd-trace
(npm)
Jul 15, 2026
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50271
was published
for
ddtrace
(pip)
Jul 15, 2026
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50270
was published
for
com.datadoghq:dd-java-agent
(Maven)
Jul 15, 2026
ViewComponent: Reused Component Instances Retain Stale Render Context
Moderate
CVE-2026-54497
was published
for
view_component
(RubyGems)
Jul 15, 2026
ProTip!
Advisories are also available from the
GraphQL API