GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,449 advisories
Filter by severity
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access
Critical
CVE-2026-49445
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
Formie Hidden field defaults vulnerable to Server-Side Template Injection
Critical
CVE-2026-52889
was published
for
verbb/formie
(Composer)
Jul 6, 2026
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Critical
CVE-2026-49352
was published
for
9router
(npm)
Jul 2, 2026
LaunchServer FileServerHandler has an unauthenticated path traversal issue
Critical
CVE-2026-54617
was published
for
pro.gravit.launcher:launchserver-api
(Maven)
Jul 2, 2026
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
Critical
CVE-2026-52830
was published
for
fast-mcp-telegram
(pip)
Jul 2, 2026
9router: Missing Authorization and OS Command Injection
Critical
CVE-2026-59800
was published
for
9router
(npm)
Jul 2, 2026
Mautic vulnerable to Path Traversal via Campaign Import
Critical
CVE-2026-9559
was published
for
mautic/core
(Composer)
Jul 2, 2026
Mautic has Server-Side Template Injection (SSTI) in Theme Templates
Critical
CVE-2026-9558
was published
for
mautic/core
(Composer)
Jul 2, 2026
zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser
Critical
CVE-2026-52735
was published
for
zebra-script
(Rust)
Jul 2, 2026
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy
Critical
GHSA-w4v6-g3wm-w36c
was published
for
openclaw
(npm)
Jul 2, 2026
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Critical
CVE-2026-50027
was published
for
mcp-memory-service
(pip)
Jul 2, 2026
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Critical
CVE-2026-53943
was published
for
ghost
(npm)
Jul 1, 2026
Rancher has Privilege Escalation from Project Owner to Host
Critical
CVE-2026-41052
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Critical
CVE-2026-44935
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Rancher vulnerable to command injection through unsanitized YAML parameter
Critical
CVE-2026-44939
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
QUIC has Broken TLS verification
Critical
CVE-2026-49457
was published
for
quic
(Erlang)
Jul 1, 2026
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
Critical
CVE-2026-50566
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Critical
CVE-2026-50564
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Container Executor Function PodSpec Injection Leading to Node Escape
Critical
CVE-2026-50563
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
Critical
CVE-2026-50545
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Critical
CVE-2026-53519
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check
Critical
GHSA-q6xx-5vr8-p898
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass
Critical
CVE-2026-49454
was published
for
relyra
(Erlang)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API