GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
28 advisories
Filter by severity
1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC...
High
Unreviewed
CVE-2024-42219
was published
Aug 6, 2024
1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by...
Moderate
Unreviewed
CVE-2024-42218
was published
Aug 6, 2024
AngularJS allows attackers to bypass common image source restrictions
Low
CVE-2024-8372
was published
for
angular
(npm)
Sep 9, 2024
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to...
High
Unreviewed
CVE-2024-45179
was published
Oct 9, 2024
`idna` accepts Punycode labels that do not produce any non-ASCII when decoded
Moderate
CVE-2024-12224
was published
for
idna
(Rust)
Dec 9, 2024
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4...
Moderate
Unreviewed
CVE-2026-1094
was published
Feb 11, 2026
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
High
CVE-2026-27610
was published
for
parse-dashboard
(npm)
Feb 25, 2026
Improper input validation in the apps and endpoints configuration in PowerShell Universal before...
Moderate
Unreviewed
CVE-2026-3563
was published
Mar 17, 2026
Ory Oathkeeper has an authentication bypass by cache key confusion
High
CVE-2026-33496
was published
for
github.com/ory/oathkeeper
(Go)
Mar 20, 2026
OpenFGA has an Authorization Bypass through cached keys
Moderate
CVE-2026-33729
was published
for
github.com/openfga/openfga
(Go)
Mar 26, 2026
An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows...
Moderate
Unreviewed
CVE-2026-22569
was published
Mar 31, 2026
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Critical
CVE-2026-35039
was published
for
fast-jwt
(npm)
Apr 3, 2026
When verifying a certificate chain containing excluded DNS constraints, these constraints are not...
High
Unreviewed
CVE-2026-33810
was published
Apr 8, 2026
mercure has Topic Selector Cache Key Collision
High
CVE-2026-39972
was published
for
github.com/dunglas/mercure
(Go)
Apr 8, 2026
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes
Moderate
CVE-2026-41213
was published
for
@node-oauth/oauth2-server
(npm)
Apr 16, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed
Low
GHSA-22w3-693w-x895
was published
for
webauthn-authenticator-rs
(Rust)
May 6, 2026
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask...
Moderate
Unreviewed
CVE-2026-45190
was published
May 10, 2026
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero...
Moderate
Unreviewed
CVE-2026-45191
was published
May 10, 2026
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an...
Critical
Unreviewed
CVE-2026-39821
was published
May 26, 2026
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
High
CVE-2026-42462
was published
for
@fedify/fedify
(npm)
May 26, 2026
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form
Low
CVE-2026-46644
was published
for
symfony/polyfill
(Composer)
May 28, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Moderate
CVE-2026-48710
was published
for
starlette
(pip)
Jun 4, 2026
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Moderate
CVE-2026-47674
was published
for
hono
(npm)
Jun 4, 2026
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.
...
Moderate
Unreviewed
CVE-2026-49940
was published
Jun 4, 2026
ProTip!
Advisories are also available from the
GraphQL API