Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,990
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,390
Swift
56
Unreviewed advisories
All unreviewed
5,000+

31,491 advisories

Loading
Element Call reports full URLs of visited pages to analytics server High
CVE-2026-48007 was published for @element-hq/element-call-embedded (npm) Jun 11, 2026
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator High
CVE-2026-48006 was published for io.netty:netty-codec-redis (Maven) Jun 11, 2026
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
free5GC UDR has improper `ueId` validation in EE subscription handlers that allows arbitrary identifier persistence Moderate
CVE-2026-47780 was published for github.com/free5gc/udr (Go) Jun 11, 2026
Giancannella Credited to Giancannella, FrancescoDAlterio, ghMellow, and ndrberna FrancescoDAlterio FrancescoDAlterio
ghMellow ghMellow ndrberna ndrberna
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator Moderate
CVE-2026-53723 was published for guzzlehttp/guzzle-services (Composer) Jun 11, 2026
GrahamCampbell Credited to GrahamCampbell
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation Moderate
CVE-2026-48998 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
guzzlehttp/psr7 has CRLF Injection via URI Host Component Moderate
CVE-2026-49214 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) Moderate
CVE-2026-47768 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
PDM wheel installation leads to Path Traversal via overridden write_to_fs High
CVE-2026-47764 was published for pdm (pip) Jun 10, 2026
PDM: Project-Local State and Config Writes Follow Symlinks Moderate
CVE-2026-47763 was published for pdm (pip) Jun 10, 2026
xuemian168 Credited to xuemian168 and ZejiHui ZejiHui ZejiHui
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted) Moderate
CVE-2026-47753 was published for github.com/lxc/incus/v7 (Go) Jun 10, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration Moderate
CVE-2026-47751 was published for anthropics/claude-code-action (GitHub Actions) Jun 10, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload Critical
CVE-2026-48063 was published for @whiskeysockets/baileys (npm) Jun 10, 2026
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header Moderate
CVE-2026-48061 was published for litestar (pip) Jun 10, 2026
gik2927 Credited to gik2927
Litestar has HTML Injection Through its CSRF Token High
CVE-2026-48060 was published for litestar (pip) Jun 10, 2026
Blinky-Keys Credited to Blinky-Keys
nebula-mesh: Session and OIDC state cookies lack the Secure attribute Moderate
CVE-2026-48058 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
nebula-mesh: Decrypted CA private key persists in heap after signing Moderate
CVE-2026-48025 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion High
CVE-2026-47253 was published for github.com/julien040/anyquery (Go) Jun 10, 2026
232-323 Credited to 232-323
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors Moderate
CVE-2026-47155 was published for vllm (pip) Jun 10, 2026
addcontent Credited to addcontent, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
Acknowledgement extension out of memory High
CVE-2025-53114 was published for org.cometd.java:cometd-java-server-common (Maven) Jun 10, 2026
cosimo Credited to cosimo
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents High
CVE-2026-49396 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
sondt99 Credited to sondt99
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery Critical
CVE-2026-48031 was published for github.com/dhax/go-base (Go) Jun 10, 2026
saaa99999999 Credited to saaa99999999
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system Low
CVE-2026-48051 was published for @papra/webhooks (npm) Jun 10, 2026
FredrikEV Credited to FredrikEV
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database