Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,080
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,412
Swift
61
Unreviewed advisories
All unreviewed
5,000+

330 advisories

Loading
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact` Moderate
GHSA-jrpc-7vxp-69p6 was published for org.http4k:http4k-core (Maven) Jun 19, 2026
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length... Critical Unreviewed
CVE-2026-54387 was published Jun 17, 2026
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple... Critical Unreviewed
CVE-2026-54388 was published Jun 17, 2026
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
vLLM: OpenAI auth bypass Critical
CVE-2026-48746 was published for vllm (pip) Jun 16, 2026
x41j Credited to x41j, russellb, and DarkLight1337 russellb russellb
DarkLight1337 DarkLight1337
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted Moderate
CVE-2026-50020 was published for io.netty:netty-codec-http (Maven) Jun 15, 2026
chrisvest Credited to chrisvest
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec Low
CVE-2026-28898 was published for github.com/apple/swift-nio-http2 (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran
A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4,... Moderate Unreviewed
CVE-2026-6338 was published Jun 11, 2026
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. ... Moderate Unreviewed
CVE-2026-41853 was published Jun 9, 2026
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths Moderate
CVE-2026-47676 was published for hono (npm) Jun 4, 2026
Rootingg Credited to Rootingg
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks Moderate
CVE-2026-48710 was published for starlette (pip) Jun 4, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to... Low Unreviewed
CVE-2026-44546 was published Jun 3, 2026
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request... Low Unreviewed
CVE-2026-50052 was published Jun 3, 2026
A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion... Moderate Unreviewed
CVE-2026-6324 was published May 29, 2026
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM... High Unreviewed
CVE-2026-8620 was published May 26, 2026
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM... High Unreviewed
CVE-2026-9170 was published May 26, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header Moderate
CVE-2026-39805 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding Moderate
CVE-2026-42585 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty has HttpClientCodec response desynchronization High
CVE-2026-42584 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization Moderate
CVE-2026-42581 was published for io.netty:netty-codec-http (Maven) May 7, 2026
subbudvk Credited to subbudvk
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing Moderate
CVE-2026-42580 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header... High Unreviewed
CVE-2026-40562 was published May 6, 2026
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database