Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,098
Maven
5,000+
npm
4,985
NuGet
826
pip
4,425
Pub
12
RubyGems
988
Rust
1,170
Swift
50
Unreviewed advisories
All unreviewed
5,000+

3,740 advisories

Loading
`time-sync` was removed from crates.io due to malicious code Critical
GHSA-mh23-rw7f-v5pq was published for time-sync (Rust) Mar 5, 2026
Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
CVE-2026-2835 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Critical
CVE-2026-2833 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure Critical
CVE-2026-27944 was published for github.com/0xJacky/Nginx-UI (Go) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
`dnp3times` was removed from crates.io due to malicious code Critical
GHSA-xhw7-jhmp-j62j was published for dnp3times (Rust) Mar 5, 2026
zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards Critical
GHSA-5wp8-q9mx-8jx8 was published for zeptoclaw (Rust) Mar 5, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
GHSA-262p-vjx5-45xh was published for pingora-core (Rust) Mar 5, 2026 withdrawn
Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade Critical
GHSA-f9v3-j2m7-4hpg was published for pingora-core (Rust) Mar 5, 2026 withdrawn
pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT Critical
CVE-2026-29000 was published for org.pac4j:pac4j-jwt (Maven) Mar 5, 2026
fritzdal Credited to fritzdal
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Critical
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
`time_calibrators` was removed from crates.io due to malicious code Critical
GHSA-wf45-3gpw-vrqv was published for time_calibrators (Rust) Mar 4, 2026
`time_calibrator` was removed from crates.io due to malicious code Critical
GHSA-77xj-rrh3-wx3v was published for time_calibrator (Rust) Mar 4, 2026
Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions Critical
CVE-2026-27446 was published for org.apache.activemq:artemis-server (Maven) Mar 4, 2026
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates Critical
CVE-2026-28697 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's pkgutil.resolve_name has a universal blocklist bypass Critical
GHSA-vvpj-8cmc-gx39 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-7wx9-6375-f5wh was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php Critical
CVE-2026-29058 was published for wwbn/avideo (Composer) Mar 3, 2026
arkmarta Credited to arkmarta
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php Critical
CVE-2026-27012 was published for devcode-it/openstamanager (Composer) Mar 3, 2026
RunProgram Credited to RunProgram
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection Critical
CVE-2026-26279 was published for froxlor/froxlor (Composer) Mar 3, 2026
Moonster8282 Credited to Moonster8282
Rancher cloud credentials can be used through proxy API by users without access Critical
CVE-2021-25320 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database