GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
23 advisories
Filter by severity
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening
High
GHSA-j7h9-2jh7-g967
was published
for
mcp-ssh-tool
(npm)
May 7, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
High
CVE-2026-42602
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
(Go)
May 6, 2026
Spring Boot DevTools remote secret comparison is vulnerable to timing attacks
High
CVE-2026-40972
was published
for
org.springframework.boot:spring-boot-devtools
(Maven)
Apr 28, 2026
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack
High
CVE-2026-32935
was published
for
phpseclib/phpseclib
(Composer)
Mar 19, 2026
@perfood/couch-auth has an Observable Timing Discrepancy
High
CVE-2025-70949
was published
for
@perfood/couch-auth
(npm)
Mar 5, 2026
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification
High
GHSA-65p9-r9h6-22vj
was published
for
aws-lc-fips-sys
(Rust)
Mar 3, 2026
OpenClaw has non-constant-time token comparison in hooks authentication
High
CVE-2026-28464
was published
for
openclaw
(npm)
Mar 2, 2026
RustCrypto Utilities cmov: `thumbv6m-none-eabi` compiler emits non-constant time assembly when using `cmovnz`
High
CVE-2026-23519
was published
for
cmov
(Rust)
Jan 15, 2026
Duplicate Advisory: Authorization Bypass in OPC UA .NET Standard Stack
High
GHSA-qv5f-57gw-vx3h
was published
for
OPCFoundation.NetStandard.Opc.Ua
(NuGet)
Feb 10, 2025
•
withdrawn
basic-auth-connect's callback uses time unsafe string comparison
High
CVE-2024-47178
was published
for
basic-auth-connect
(npm)
Sep 30, 2024
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack
High
CVE-2023-50782
was published
for
cryptography
(pip)
Feb 5, 2024
Minerva timing attack on P-256 in python-ecdsa
High
CVE-2024-23342
was published
for
ecdsa
(pip)
Jan 22, 2024
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
High
CVE-2015-20110
was published
for
generator-jhipster
(npm)
Oct 31, 2023
Mailman Core vulnerable to timing attacks
High
CVE-2021-34337
was published
for
mailman
(pip)
Apr 15, 2023
Observable timing discrepancy in JOpenId
High
CVE-2010-10006
was published
for
org.expressme:JOpenId
(Maven)
Jan 18, 2023
Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator
High
CVE-2022-3143
was published
for
org.wildfly.security:wildfly-elytron
(Maven)
Jan 13, 2023
Atlantis Events vulnerable to Timing Attack
High
CVE-2022-24912
was published
for
github.com/runatlantis/atlantis
(Go)
Jul 30, 2022
fastify-bearer-auth vulnerable to Timing Attack Vector
High
CVE-2022-31142
was published
for
@fastify/bearer-auth
(npm)
Jul 15, 2022
Symfony Vulnerable to Timing Attack
High
CVE-2015-8125
was published
for
symfony/form
(Composer)
May 17, 2022
libsecp256k1 contains side-channel timing attack
High
CVE-2019-25003
was published
for
libsecp256k1
(Rust)
Aug 25, 2021
Observable Timing Discrepancy in aaugustin websockets library
High
CVE-2021-33880
was published
for
websockets
(pip)
Jun 11, 2021
ProTip!
Advisories are also available from the
GraphQL API