GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
165 advisories
Filter by severity
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses...
Low
Unreviewed
CVE-2026-15041
was published
Jul 8, 2026
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time...
Low
Unreviewed
CVE-2026-13758
was published
Jun 29, 2026
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute...
Moderate
Unreviewed
CVE-2023-20572
was published
Jun 26, 2026
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute...
Low
Unreviewed
CVE-2023-20540
was published
Jun 26, 2026
Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData...
Moderate
Unreviewed
CVE-2026-6291
was published
Jun 25, 2026
Filament: Timing-based user enumeration on login page
Moderate
CVE-2026-48166
was published
for
filament/filament
(Composer)
Jun 23, 2026
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Moderate
GHSA-5739-39v2-5754
was published
for
web-token/jwt-framework
(Composer)
Jun 18, 2026
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb...
Moderate
Unreviewed
CVE-2026-54411
was published
Jun 14, 2026
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks.
These versions...
Moderate
Unreviewed
CVE-2017-20240
was published
Jun 12, 2026
NocoDB: User Enumeration via Sign-In Timing
Low
CVE-2026-47380
was published
for
nocodb
(npm)
Jun 5, 2026
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Low
CVE-2026-48011
was published
for
shopware/core
(Composer)
Jun 4, 2026
A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not...
Low
Unreviewed
CVE-2026-5419
was published
Jun 1, 2026
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing...
Unknown
Unreviewed
CVE-2026-5091
was published
May 22, 2026
Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which...
Moderate
Unreviewed
CVE-2026-44061
was published
May 21, 2026
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks.
These...
High
Unreviewed
CVE-2026-47373
was published
May 20, 2026
In memcached before 1.6.42, password data for SASL password database authentication has a timing...
High
Unreviewed
CVE-2026-47784
was published
May 20, 2026
In memcached before 1.6.42, username data for SASL password database authentication has a timing...
High
Unreviewed
CVE-2026-47783
was published
May 20, 2026
Apache Tomcat - AJP secret compared in non-constant time
Low
CVE-2026-43514
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
May 12, 2026
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening
High
GHSA-j7h9-2jh7-g967
was published
for
mcp-ssh-tool
(npm)
May 7, 2026
Kanidm has non-constant-time comparison of OAuth2 client_secret
Low
GHSA-53hj-r94p-8c8f
was published
for
kanidm
(Rust)
May 6, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Critical
GHSA-9h64-2846-7x7f
was published
for
github.com/getaxonflow/axonflow
(Go)
May 6, 2026
pyquorum: Timing side‑channel in mul_mod
Moderate
CVE-2026-44368
was published
for
pyquorum
(pip)
May 6, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
High
CVE-2026-42602
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
(Go)
May 6, 2026
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest...
Moderate
Unreviewed
CVE-2026-33006
was published
May 4, 2026
ProTip!
Advisories are also available from the
GraphQL API