Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,373
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,565
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

32 advisories

Loading
Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint Moderate
CVE-2026-34388 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
malcontent: Nested archive extraction failure can drop content from scan inputs Moderate
CVE-2026-28407 was published for github.com/chainguard-dev/malcontent (Go) Feb 28, 2026
1seal Credited to 1seal and egibs egibs egibs
rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895 High
GHSA-7587-4wv6-m68m was published for pgp (Rust) Feb 13, 2026
invd Credited to invd
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo Credited to Ryu-GeonWoo
Decidim's private data exports can lead to data leaks High
CVE-2025-65017 was published for decidim (RubyGems) Feb 3, 2026
ahukkanen Credited to ahukkanen
CometBFT has inconsistencies between how commit signatures are verified and how block time is derived High
GHSA-c32p-wcqj-j677 was published for github.com/cometbft/cometbft (Go) Jan 23, 2026
rsa crate has potential panic on a prime being equal to 1 Low
CVE-2026-21895 was published for rsa (Rust) Jan 6, 2026
invd Credited to invd
Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion Moderate
GHSA-46j5-6fg5-4gv3 was published for nodemailer (npm) Dec 18, 2025 withdrawn
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls High
CVE-2025-14874 was published for nodemailer (npm) Dec 1, 2025
uko3211 Credited to uko3211
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation Moderate
CVE-2025-64435 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Credited to mihailkirov and Faeris95 Faeris95 Faeris95
Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook High
CVE-2025-59538 was published for github.com/argoproj/argo-cd/v2 (Go) Sep 30, 2025
jake-ciolek Credited to jake-ciolek, crenshaw-dev, and blakepettersson crenshaw-dev crenshaw-dev
blakepettersson blakepettersson
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload High
CVE-2025-59531 was published for github.com/argoproj/argo-cd (Go) Sep 30, 2025
jake-ciolek Credited to jake-ciolek, crenshaw-dev, and blakepettersson crenshaw-dev crenshaw-dev
blakepettersson blakepettersson
TinyEnv: Missing .env file not required — may cause unexpected behavior Moderate
CVE-2025-58758 was published for datahihi1/tiny-env (Composer) Sep 9, 2025
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service High
CVE-2025-54134 was published for @haxtheweb/haxcms-nodejs (npm) Jul 21, 2025
asareynolds Credited to asareynolds
ntpd NTS client denial of service via wrongly sized cookies Moderate
GHSA-v83q-83hj-rw38 was published for ntpd (Rust) Feb 28, 2025
rzaba0 Credited to rzaba0
CometBFT allows a malicious peer to make node stuck in blocksync Moderate
CVE-2025-24371 was published for github.com/cometbft/cometbft (Go) Feb 3, 2025
unknownfeature Credited to unknownfeature
Lodestar snappy decompression issue Low
GHSA-53rv-hcvm-rpp9 was published for @lodestar/reqresp (npm) Jan 14, 2025
gln7 Credited to gln7
Vyper Does Not Check the Success of Certain Precompile Calls Low
CVE-2025-21607 was published for vyper (pip) Jan 14, 2025
ritzdorf Credited to ritzdorf, vasinicola, and trocher vasinicola vasinicola
trocher trocher
notation-go has an OS error when setting CRL cache leads to denial of signature verification Low
CVE-2024-51491 was published for github.com/notaryproject/notation-go (Go) Jan 13, 2025
Faeris95 Credited to Faeris95, JeyJeyGao, and shizhMSFT JeyJeyGao JeyJeyGao
shizhMSFT shizhMSFT
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions High
CVE-2024-6468 was published for github.com/hashicorp/vault (Go) Jul 11, 2024
westonsteimel Credited to westonsteimel
node-twain vulnerable to Improper Check or Handling of Exceptional Conditions High
CVE-2024-21525 was published for node-twain (npm) Jul 10, 2024
Kubelet Incorrect Privilege Assignment Moderate
CVE-2019-11245 was published for k8s.io/kubernetes/cmd/kubelet (Go) Apr 24, 2024
HashiCorpVault does not correctly validate OCSP responses Moderate
CVE-2024-2660 was published for github.com/hashicorp/vault (Go) Apr 4, 2024
Rust EVM erroneousle handles `record_external_operation` error return Moderate
CVE-2024-21629 was published for evm (Rust) Jan 3, 2024
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions High
CVE-2023-45812 was published for apollo-router (Rust) Oct 19, 2023
garypen Credited to garypen, BrynCooke, BryanBarron, jasonbarnett667, and shorgi BrynCooke BrynCooke
BryanBarron BryanBarron jasonbarnett667 jasonbarnett667 shorgi shorgi
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database