Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,533
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

424 advisories

Loading
Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery Moderate
GHSA-hff2-gcpx-8f4p was published for apollo-router (Rust) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() Moderate
CVE-2026-33693 was published for activitypub_federation (Rust) Mar 25, 2026
SnailSploit Credited to SnailSploit
webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic Moderate
GHSA-pwjx-qhcg-rvj4 was published for rustls-webpki (Rust) Mar 20, 2026
1seal Credited to 1seal, ctz, and crowlandsimms ctz ctz
crowlandsimms crowlandsimms
tar-rs `unpack_in` can chmod arbitrary directories by following symlinks Moderate
CVE-2026-33056 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium
tar-rs incorrectly ignores PAX size headers if header size is nonzero Moderate
CVE-2026-33055 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium and woodruffw woodruffw woodruffw
astral-tokio-tar insufficiently validates PAX extensions during extraction Moderate
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
Uncaught Exception in Macro Expecting Native Function to Exist Moderate
GHSA-6wr5-jmpr-mjcx was published for surrealdb (Rust) Feb 21, 2024
idofilus Credited to idofilus
Uncaught Exception Handling Parsing Errors on Line Terminators Moderate
GHSA-8xff-473h-f863 was published for surrealdb (Rust) Feb 21, 2024
Cheyenne1025 Credited to Cheyenne1025
rs-soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction Moderate
CVE-2026-32322 was published for soroban-sdk (Rust) Mar 13, 2026
leighmcculloch Credited to leighmcculloch
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification Moderate
GHSA-725g-w329-g7qr was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy Moderate
GHSA-x442-m7cc-hr92 was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects Moderate
GHSA-vhj5-x93p-67jw was published for actix-web-lab (Rust) Mar 11, 2026
stellar-xdr's StringM::from_str bypasses max length validation Moderate
CVE-2026-29795 was published for stellar-xdr (Rust) Mar 5, 2026
leighmcculloch Credited to leighmcculloch
Vaultwarden has 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement Moderate
CVE-2026-27801 was published for vaultwarden (Rust) Mar 4, 2026
d-xuan Credited to d-xuan, BlackDex, and dani-garcia BlackDex BlackDex
dani-garcia dani-garcia
neqo-qpack has iInteger overflow in qpack dynamic table indexing Moderate
GHSA-6w86-wgwq-rgq8 was published for neqo-qpack (Rust) Mar 4, 2026
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher Moderate
CVE-2026-27898 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
uv has ZIP payload obfuscation through parsing differentials Moderate
CVE-2025-13327 was published for uv (Rust) Feb 27, 2026
Hive has Double-free and Use After Free Vulnerabilities Moderate
GHSA-j8cj-hw74-64jv was published for hivex (Rust) Feb 28, 2026
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance Moderate
CVE-2026-27572 was published for wasmtime (Rust) Feb 24, 2026
alexcrichton Credited to alexcrichton
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion Moderate
CVE-2026-27204 was published for wasmtime (Rust) Feb 24, 2026
mbund Credited to mbund, alexcrichton, and pchickey alexcrichton alexcrichton
pchickey pchickey
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future Moderate
CVE-2026-27195 was published for wasmtime (Rust) Feb 24, 2026
dicej Credited to dicej
time vulnerable to stack exhaustion Denial of Service attack Moderate
CVE-2026-25727 was published for time (Rust) Feb 5, 2026
kroemeke Credited to kroemeke and jhpratt jhpratt jhpratt
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames Moderate
CVE-2026-27480 was published for static-web-server (Rust) Feb 20, 2026
naoyashiga Credited to naoyashiga and joseluisq joseluisq joseluisq
rPGP's integrity protection of encrypted data was not always checked Moderate
GHSA-c7ph-f7jm-xv4w was published for pgp (Rust) Feb 13, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database