GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
14,499 advisories
Filter by severity
daphne: Unauthenticated attackers can cause excessive memory consumption by sending arbitrarily large WebSocket messages/frames
Moderate
CVE-2026-44545
was published
for
daphne
(pip)
Jun 3, 2026
Excon does not redact additional sensitive/risky headers when following redirects
Moderate
CVE-2026-54171
was published
for
excon
(RubyGems)
Jul 10, 2026
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Moderate
CVE-2026-54163
was published
for
secure_headers
(RubyGems)
Jul 10, 2026
Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
Moderate
CVE-2026-54136
was published
for
windmill-api
(Rust)
Jul 10, 2026
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
Moderate
CVE-2026-54068
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export
Moderate
CVE-2026-45703
was published
for
pimcore/pimcore
(Composer)
May 27, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Moderate
CVE-2026-49977
was published
for
tarteaucitronjs
(npm)
Jul 10, 2026
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs
Moderate
CVE-2026-49865
was published
for
kimai/kimai
(Composer)
Jul 10, 2026
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
Moderate
CVE-2026-49858
was published
for
api-platform/core
(Composer)
Jul 10, 2026
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Moderate
CVE-2026-48043
was published
for
io.netty:netty-codec-http2
(Maven)
Jun 11, 2026
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Moderate
CVE-2026-39835
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Moderate
CVE-2026-48710
was published
for
starlette
(pip)
Jun 4, 2026
pip: Path traversal in console_scripts/gui_scripts entry point names allows installing scripts outside of target directory
Moderate
CVE-2026-8643
was published
for
pip
(pip)
Jun 1, 2026
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions
Moderate
CVE-2026-39828
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
GoBGP confederation validation panics on empty AS_PATH attribute
Moderate
CVE-2026-49838
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries
Moderate
CVE-2026-49837
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
sigstore-go has a multi-log threshold bypass via single compromised log
Moderate
CVE-2026-49834
was published
for
github.com/sigstore/sigstore-go
(Go)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
OpenRun: Redirect URL validation bypass using //host paths leads to Open Redirect
Moderate
CVE-2026-55252
was published
for
github.com/openrundev/openrun
(Go)
Jul 9, 2026
mint: Content-Length header accepts non-RFC "+" sign prefix
Moderate
CVE-2026-49753
was published
for
mint
(Erlang)
Jul 9, 2026
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path()
Moderate
CVE-2026-5422
was published
for
jupyter-server
(pip)
Jun 2, 2026
ProTip!
Advisories are also available from the
GraphQL API