Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

145 advisories

Loading
rust-zserio has Unbounded Memory Allocation High
GHSA-fpf5-4jw8-67x8 was published for rust-zserio (Rust) May 7, 2026
Netty HTTP/3 QPACK literal unbounded allocation High
CVE-2026-42582 was published for io.netty:netty-codec-http3 (Maven) May 7, 2026
violetagg Credited to violetagg, nicolaideffremo, normanmaurer, and massif-01 nicolaideffremo nicolaideffremo
normanmaurer normanmaurer massif-01 massif-01
OpAMP client reads unbounded HTTP response bodies Moderate
CVE-2026-42348 was published for OpenTelemetry.OpAmp.Client (NuGet) May 5, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload High
CVE-2026-42154 was published for github.com/prometheus/prometheus (Go) May 5, 2026
ShadowByte1 Credited to ShadowByte1, Ankush-Pathak, and noren95 Ankush-Pathak Ankush-Pathak
noren95 noren95
Apache Thrift has a Memory Allocation with Excessive Size Value Vulnerability Moderate
CVE-2026-43868 was published for thrift (Rust) May 5, 2026
Apache OpenNLP AbstractModelReader has an OOM Denial of Service via Unbounded Array Allocation High
CVE-2026-42440 was published for org.apache.opennlp:opennlp-tools (Maven) May 4, 2026
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width Moderate
CVE-2026-42241 was published for ParquetSharp (NuGet) Apr 24, 2026
adamreeve Credited to adamreeve, CurtHagenlocher, and marcin-krystianc CurtHagenlocher CurtHagenlocher
marcin-krystianc marcin-krystianc
go-zserio has Unbounded Memory Allocation for All Platforms Critical
GHSA-xhj4-g6w8-2xjw was published for github.com/woven-planet/go-zserio (Go) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler High
CVE-2026-42189 was published for russh (Rust) Apr 24, 2026
coreyleavitt Credited to coreyleavitt
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers Moderate
CVE-2026-40894 was published for OpenTelemetry.Api (NuGet) Apr 23, 2026
martincostello Credited to martincostello, Kielek, and arminru Kielek Kielek
arminru arminru
OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling Moderate
CVE-2026-40891 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies Moderate
CVE-2026-40182 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
martincostello Credited to martincostello, 1seal, Kielek, and arminru 1seal 1seal
Kielek Kielek arminru arminru
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM Moderate
CVE-2026-41314 was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM Moderate
CVE-2026-41312 was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing High
CVE-2026-40303 was published for github.com/openziti/zrok (Go) Apr 16, 2026
Wasmtime has improperly masked return value from `table.grow` with Winch compiler backend Moderate
CVE-2026-35186 was published for wasmtime (Rust) Apr 10, 2026
shumbo Credited to shumbo, bholley, and deian bholley bholley
deian deian
Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure Moderate
GHSA-hm63-vwj4-mj2q was published for openclaw (npm) Apr 10, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API