GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,297
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,794 advisories
Filter by severity
FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export
High
CVE-2026-45263
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents
High
CVE-2026-45693
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
High
CVE-2026-44300
was published
for
github.com/opencost/opencost
(Go)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS
High
GHSA-xf7x-x43h-rpqh
was published
for
json-repair
(pip)
Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service
High
GHSA-7xw9-549r-8jrc
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC: Pilot code downloaded over unverified HTTPS connection
High
CVE-2026-61668
was published
for
DIRAC
(pip)
Jul 13, 2026
Apollo ConfigService access key authentication bypass via raw config file appId parsing
High
CVE-2026-59955
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
High
CVE-2026-59954
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
High
CVE-2024-29033
was published
for
oauthenticator
(pip)
Mar 20, 2024
NukeViet: Pre-authentication SSRF via X-Forwarded-Host
High
CVE-2026-55372
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
High
CVE-2026-54065
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
High
CVE-2026-54064
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
GoBGP: Integer underflow in the BGPUpdate.DecodeFromBytes function
High
CVE-2026-37462
was published
for
github.com/osrg/gobgp/v4
(Go)
Jun 3, 2026
huggingface/transformers: Arbitrary Code Execution During Model Initialization in the LightGlue Model Loading Path
High
CVE-2026-5241
was published
for
transformers
(pip)
Jun 3, 2026
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
High
CVE-2026-49259
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Unauthenticated Reflected XSS in Comment Module
High
CVE-2026-48118
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations
High
CVE-2026-45414
was published
for
decidim
(RubyGems)
Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links
High
CVE-2026-45378
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
ws: Memory exhaustion DoS from tiny fragments and data chunks
High
CVE-2026-48779
was published
for
ws
(npm)
Jun 15, 2026
Diffusers: TOCTOU Trust Remote Code Bypass
High
CVE-2026-45804
was published
for
diffusers
(pip)
May 20, 2026
melange: Incomplete package integrity verification allows data section substitution
High
CVE-2026-54174
was published
for
chainguard.dev/apko
(Go)
Jul 10, 2026
Jaspersoft Reports: Java Deserialization Vulnerability Lleads to Remote Code Execution (RCE)
High
CVE-2026-6009
was published
for
net.sf.jasperreports:jasperreports
(Maven)
May 19, 2026
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
High
GHSA-h4g2-xfmw-q2c9
was published
for
clauster
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment
High
GHSA-g5r6-gv6m-f5jv
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
ProTip!
Advisories are also available from the
GraphQL API