Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

12,586 advisories

Loading
netavark has incorrect error handling for malformed tcp packets Moderate
CVE-2026-35406 was published for netavark (Rust) Apr 7, 2026
dkane01 Credited to dkane01
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder Moderate
GHSA-xmrv-pmrh-hhx2 was published for github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream (Go) Apr 8, 2026
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint Moderate
CVE-2026-33866 was published for mlflow (pip) Apr 7, 2026
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions Moderate
GHSA-rfgh-63mg-8pwm was published for pyload-ng (pip) Apr 8, 2026
komi22 Credited to komi22
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class Moderate
CVE-2026-1839 was published for transformers (pip) Apr 7, 2026
lightrag-hku: JWT Algorithm Confusion Vulnerability Moderate
CVE-2026-39413 was published for lightrag-hku (pip) Apr 8, 2026
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() Moderate
CVE-2026-39410 was published for hono (npm) Apr 8, 2026
tikitiki0370 Credited to tikitiki0370
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses Moderate
CVE-2026-39409 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono missing validation of cookie name on write path in setCookie() Moderate
GHSA-26pp-8wgv-hjvm was published for hono (npm) Apr 8, 2026
athuljayaram Credited to athuljayaram
Hono: Path traversal in toSSG() allows writing files outside the output directory Moderate
CVE-2026-39408 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39407 was published for hono (npm) Apr 8, 2026
blakeembrey Credited to blakeembrey
@hono/node-server: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39406 was published for @hono/node-server (npm) Apr 8, 2026
JWCrypto: JWE ZIP decompression bomb Moderate
CVE-2026-39373 was published for jwcrypto (pip) Apr 8, 2026
hkmj19 Credited to hkmj19
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools Moderate
CVE-2026-39398 was published for openclaw-claude-bridge (npm) Apr 8, 2026
RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration Moderate
CVE-2026-39360 was published for rustfs (Rust) Apr 8, 2026
thesmartshadow Credited to thesmartshadow
Cosign's verify-blob-attestation reports false positive when payload parsing fails Moderate
CVE-2026-39395 was published for github.com/sigstore/cosign (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
go.etcd.io/bbolt affected by index out-of-range vulnerability Moderate
CVE-2026-33817 was published for go.etcd.io/bbolt (Go) Apr 6, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31313 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter Moderate
CVE-2026-31350 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module Moderate
CVE-2026-31354 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module Moderate
CVE-2026-31353 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module Moderate
CVE-2026-31352 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31351 was published for feehi/cms (Composer) Apr 6, 2026
Emissary has a Path Traversal via Blacklist Bypass in Configuration API Moderate
CVE-2026-35583 was published for gov.nsa.emissary:emissary (Maven) Apr 8, 2026
BrennanTM Credited to BrennanTM
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database