GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
30 advisories
Filter by severity
Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
Moderate
CVE-2026-54136
was published
for
windmill-api
(Rust)
Jul 10, 2026
id: groups= computed from real GID instead of effective GID
Moderate
CVE-2026-35370
was published
for
uu_id
(Rust)
Jul 6, 2026
SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted
Moderate
CVE-2026-49997
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Field-level SELECT permissions bypassed via indexed COUNT fast paths
Moderate
GHSA-c8jx-96c9-8xrp
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization
Moderate
GHSA-wp87-mgvq-5j93
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptions
Moderate
GHSA-6wqw-vhfr-9999
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has bypass of field-level SELECT permissions through JSON Patch `copy` and `move` with empty `from`
Moderate
GHSA-fpxg-5xmv-922m
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has an Authorization Bypass via Composite Record-id Paths
Moderate
GHSA-6vg3-hgrw-p5gf
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions
Moderate
GHSA-vjjx-rfw4-rmfc
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level
Moderate
GHSA-98fx-66cf-fc7c
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals
Moderate
GHSA-hv6h-hc26-q48p
was published
for
surrealdb
(Rust)
Jun 19, 2026
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access
Moderate
CVE-2026-49983
was published
for
deno
(Rust)
Jun 16, 2026
nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`
Moderate
CVE-2026-47128
was published
for
nono-cli
(Rust)
May 28, 2026
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover
High
GHSA-mm2q-qcmx-gw4w
was published
for
rustfs
(Rust)
May 5, 2026
Duplicate Advisory: uutils coreutils has an Incorrect Authorization issue
Moderate
GHSA-q94g-3gcf-66x7
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role
High
CVE-2026-27803
was published
for
vaultwarden
(Rust)
Mar 4, 2026
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager
High
CVE-2026-27802
was published
for
vaultwarden
(Rust)
Mar 4, 2026
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write
High
CVE-2026-27607
was published
for
rustfs
(Rust)
Feb 25, 2026
Duplicate Advisory: SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
Moderate
GHSA-98f8-j56x-2hh4
was published
for
surrealdb
(Rust)
Sep 26, 2025
•
withdrawn
SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
Moderate
CVE-2025-11060
was published
for
SurrealDB
(Rust)
Sep 11, 2025
Deno has --allow-read / --allow-write permission bypass in `node:sqlite`
Moderate
CVE-2025-48935
was published
for
deno
(Rust)
Jun 4, 2025
Deno run with --allow-read and --deny-read flags results in allowed
Moderate
CVE-2025-48888
was published
for
deno
(Rust)
Jun 4, 2025
tendermint-rs's Light Client Verifier allows malicious validators to spoof votes from other validators
High
GHSA-6jrf-4jv4-r9mw
was published
for
tendermint-light-client-verifier
(Rust)
Apr 9, 2025
Zincati allows unprivileged access to rpm-ostree D-Bus `Deploy()` and `FinalizeDeployment()` methods
Low
CVE-2025-27512
was published
for
zincati
(Rust)
Mar 17, 2025
Vaultwarden vulnerable to user impersonation
High
CVE-2024-55225
was published
for
vaultwarden
(Rust)
Jan 9, 2025
ProTip!
Advisories are also available from the
GraphQL API