GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,453 advisories
Filter by severity
daphne: WebSocket handshake header smuggling through autobahn splitlines() mishandling of non-standard line separators
Low
CVE-2026-44546
was published
for
daphne
(pip)
Jun 3, 2026
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login
Low
CVE-2026-48589
was published
for
org.apache.shiro:shiro-jakarta-ee
(Maven)
May 26, 2026
Code Index MCP is vulnerable to Uncontrolled Resource Consumption
Low
CVE-2026-10692
was published
for
code-index-mcp
(pip)
Jun 3, 2026
DesktopCommanderMCP is vulnerable to SSRF
Low
CVE-2026-10690
was published
for
@wonderwhy-er/desktop-commander
(npm)
Jun 3, 2026
DesktopCommanderMCP is vulnerable to Uncontrolled Resource Consumption
Low
CVE-2026-10691
was published
for
@wonderwhy-er/desktop-commander
(npm)
Jun 3, 2026
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values
Low
CVE-2026-48598
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`
Low
CVE-2026-48596
was published
for
tesla
(Erlang)
Jul 10, 2026
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target`
Low
CVE-2026-48861
was published
for
mint
(Erlang)
Jul 9, 2026
hermes-agent has an Injection issue
Low
CVE-2026-10222
was published
for
hermes-agent
(pip)
Jun 1, 2026
Apache Airflow has an Incorrect Authorization issue
Low
CVE-2026-45426
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has an Improper Authorization issue
Low
CVE-2026-40963
was published
for
apache-airflow
(pip)
Jun 1, 2026
FoundationAgents MetaGPT: Deserialization through flawed argument mapping via Message.check_instruct_content()
Low
CVE-2026-10566
was published
for
metagpt
(pip)
Jun 2, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
SGLang: Reachable Assertion via lora_path in LoRAManager enables remote Denial of Dervice
Low
CVE-2026-10300
was published
for
sglang
(pip)
Jun 2, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
Logback vulnerable to Object Injection through HardenedObjectInputStream modules
Low
CVE-2026-10532
was published
for
ch.qos.logback:logback-core
(Maven)
Jun 1, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Low
CVE-2026-46342
was published
for
@nuxt/nitro-server
(npm)
May 19, 2026
AstrBot: Manipulation of astr_main_agent's session_id parameter leads to authorization bypass
Low
CVE-2026-10212
was published
for
AstrBot
(pip)
Jun 1, 2026
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API
Low
CVE-2026-10215
was published
for
dolibarr/dolibarr
(Composer)
Jun 1, 2026
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Low
GHSA-cwv4-h3j5-w3cf
was published
for
rama
(Rust)
Jul 7, 2026
Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection
Low
GHSA-gq4g-fpc9-vjfq
was published
for
web-auth/webauthn-lib
(Composer)
Jul 7, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Low
GHSA-2vg6-77g8-24mp
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
netfoil: Attacker controlled data written to logs
Low
GHSA-7856-g3gv-9wq8
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a resource leak in LRU cache
Low
GHSA-3g4q-2f67-2gvh
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
Aider has an SSRF vulnerability through its AWS EC2 Metadata Endpoint
Low
CVE-2026-10177
was published
for
aider-chat
(pip)
May 31, 2026
ProTip!
Advisories are also available from the
GraphQL API