GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
112 advisories
Filter by severity
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
Filament: Timing-based user enumeration on login page
Moderate
CVE-2026-48166
was published
for
filament/filament
(Composer)
Jun 23, 2026
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Moderate
GHSA-5739-39v2-5754
was published
for
web-token/jwt-framework
(Composer)
Jun 18, 2026
NocoDB: User Enumeration via Sign-In Timing
Low
CVE-2026-47380
was published
for
nocodb
(npm)
Jun 5, 2026
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Low
CVE-2026-48011
was published
for
shopware/core
(Composer)
Jun 4, 2026
Apache Tomcat - AJP secret compared in non-constant time
Low
CVE-2026-43514
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
May 12, 2026
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening
High
GHSA-j7h9-2jh7-g967
was published
for
mcp-ssh-tool
(npm)
May 7, 2026
Kanidm has non-constant-time comparison of OAuth2 client_secret
Low
GHSA-53hj-r94p-8c8f
was published
for
kanidm
(Rust)
May 6, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Critical
GHSA-9h64-2846-7x7f
was published
for
github.com/getaxonflow/axonflow
(Go)
May 6, 2026
pyquorum: Timing side‑channel in mul_mod
Moderate
CVE-2026-44368
was published
for
pyquorum
(pip)
May 6, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
High
CVE-2026-42602
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
(Go)
May 6, 2026
Spring Boot DevTools remote secret comparison is vulnerable to timing attacks
High
CVE-2026-40972
was published
for
org.springframework.boot:spring-boot-devtools
(Maven)
Apr 28, 2026
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Moderate
CVE-2026-41263
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
Low
CVE-2026-22746
was published
for
org.springframework.security:spring-security-core
(Maven)
Apr 22, 2026
Kimai: Username enumeration via timing on X-AUTH-USER
Low
GHSA-jrc6-fmhw-fpq2
was published
for
kimai/kimai
(Composer)
Apr 17, 2026
Mojic: Observable Timing Discrepancy in HMAC Verification
Moderate
CVE-2026-41244
was published
for
mojic
(npm)
Apr 16, 2026
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Low
CVE-2026-33877
was published
for
apostrophe
(npm)
Apr 16, 2026
Sync-in Server has Username Enumeration via Timing Attack
Moderate
CVE-2026-41161
was published
for
@sync-in/server
(npm)
Apr 15, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Low
CVE-2026-40263
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()
Low
CVE-2026-40194
was published
for
phpseclib/phpseclib
(Composer)
Apr 10, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
OpenClaw: Shared-secret comparison call sites leaked length information through timing
Moderate
CVE-2026-41407
was published
for
openclaw
(npm)
Apr 7, 2026
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Moderate
CVE-2026-54685
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
Mar 24, 2026
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration
Moderate
CVE-2026-32595
was published
for
github.com/traefik/traefik
(Go)
Mar 20, 2026
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack
High
CVE-2026-32935
was published
for
phpseclib/phpseclib
(Composer)
Mar 19, 2026
ProTip!
Advisories are also available from the
GraphQL API