GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
166 advisories
Filter by severity
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Low
CVE-2026-33877
was published
for
apostrophe
(npm)
Apr 16, 2026
Kimai: Username enumeration via timing on X-AUTH-USER
Low
GHSA-jrc6-fmhw-fpq2
was published
for
kimai/kimai
(Composer)
Apr 17, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Low
CVE-2026-40263
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
Mojic: Observable Timing Discrepancy in HMAC Verification
Moderate
CVE-2026-41244
was published
for
mojic
(npm)
Apr 16, 2026
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
Low
CVE-2026-22746
was published
for
org.springframework.security:spring-security-core
(Maven)
Apr 22, 2026
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest...
Moderate
Unreviewed
CVE-2026-33006
was published
May 4, 2026
OpenClaw: Shared-secret comparison call sites leaked length information through timing
Moderate
CVE-2026-41407
was published
for
openclaw
(npm)
Apr 7, 2026
Spring Boot DevTools remote secret comparison is vulnerable to timing attacks
High
CVE-2026-40972
was published
for
org.springframework.boot:spring-boot-devtools
(Maven)
Apr 28, 2026
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Moderate
CVE-2026-41263
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Critical
GHSA-9h64-2846-7x7f
was published
for
github.com/getaxonflow/axonflow
(Go)
May 6, 2026
Kanidm has non-constant-time comparison of OAuth2 client_secret
Low
GHSA-53hj-r94p-8c8f
was published
for
kanidm
(Rust)
May 6, 2026
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening
High
GHSA-j7h9-2jh7-g967
was published
for
mcp-ssh-tool
(npm)
May 7, 2026
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()
Low
CVE-2026-40194
was published
for
phpseclib/phpseclib
(Composer)
Apr 10, 2026
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack
High
CVE-2026-32935
was published
for
phpseclib/phpseclib
(Composer)
Mar 19, 2026
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user...
Moderate
Unreviewed
CVE-2026-21713
was published
Mar 30, 2026
Sync-in Server has Username Enumeration via Timing Attack
Moderate
CVE-2026-41161
was published
for
@sync-in/server
(npm)
Apr 15, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
High
CVE-2026-42602
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
(Go)
May 6, 2026
pyquorum: Timing side‑channel in mul_mod
Moderate
CVE-2026-44368
was published
for
pyquorum
(pip)
May 6, 2026
Apache Tomcat - AJP secret compared in non-constant time
Low
CVE-2026-43514
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
May 12, 2026
In memcached before 1.6.42, password data for SASL password database authentication has a timing...
High
Unreviewed
CVE-2026-47784
was published
May 20, 2026
Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which...
Moderate
Unreviewed
CVE-2026-44061
was published
May 21, 2026
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks.
These...
High
Unreviewed
CVE-2026-47373
was published
May 20, 2026
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing...
Unknown
Unreviewed
CVE-2026-5091
was published
May 22, 2026
NocoDB: User Enumeration via Sign-In Timing
Low
CVE-2026-47380
was published
for
nocodb
(npm)
Jun 5, 2026
Django has Observable Timing Discrepancy
Low
CVE-2025-13473
was published
for
Django
(pip)
Feb 3, 2026
ProTip!
Advisories are also available from the
GraphQL API