Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
42
Go
3,138
Maven
5,000+
npm
5,000+
NuGet
831
pip
4,438
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,174 advisories

Loading
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects Moderate
GHSA-vhj5-x93p-67jw was published for actix-web-lab (Rust) Mar 11, 2026
Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing High
CVE-2026-31812 was published for quinn-proto (Rust) Mar 11, 2026
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface Critical
CVE-2026-30960 was published for rssn (Rust) Mar 10, 2026
panayang Credited to panayang
Soroban: Muxed address<->ScVal conversions may break after a conversion failure Low
GHSA-pm4j-7r4q-ccg8 was published for soroban-env-host (Rust) Mar 7, 2026
`time-sync` was removed from crates.io due to malicious code Critical
GHSA-mh23-rw7f-v5pq was published for time-sync (Rust) Mar 5, 2026
Pingora vulnerable to cache poisoning via insecure-by-default cache key High
CVE-2026-2836 was published for pingora-cache (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
CVE-2026-2835 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Critical
CVE-2026-2833 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
stellar-xdr's StringM::from_str bypasses max length validation Moderate
CVE-2026-29795 was published for stellar-xdr (Rust) Mar 5, 2026
leighmcculloch Credited to leighmcculloch
`dnp3times` was removed from crates.io due to malicious code Critical
GHSA-xhw7-jhmp-j62j was published for dnp3times (Rust) Mar 5, 2026
zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards Critical
GHSA-5wp8-q9mx-8jx8 was published for zeptoclaw (Rust) Mar 5, 2026
zpbrent Credited to zpbrent
zeptoclaw has Android device shell blocklist bypass via argument permutation High
GHSA-hhjv-jq77-cmvx was published for zeptoclaw (Rust) Mar 5, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
GHSA-262p-vjx5-45xh was published for pingora-core (Rust) Mar 5, 2026 withdrawn
Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade Critical
GHSA-f9v3-j2m7-4hpg was published for pingora-core (Rust) Mar 5, 2026 withdrawn
Duplicate Advisory: Cache poisoning via insecure-by-default cache key High
GHSA-2m8c-2374-465f was published for pingora-cache (Rust) Mar 5, 2026 withdrawn
`time_calibrators` was removed from crates.io due to malicious code Critical
GHSA-wf45-3gpw-vrqv was published for time_calibrators (Rust) Mar 4, 2026
Lemmy has unauthenticated SSRF via file_type query parameter injection in image endpoint High
CVE-2026-29178 was published for lemmy_routes (Rust) Mar 4, 2026
q1uf3ng Credited to q1uf3ng
`time_calibrator` was removed from crates.io due to malicious code Critical
GHSA-77xj-rrh3-wx3v was published for time_calibrator (Rust) Mar 4, 2026
neqo-qpack has iInteger overflow in qpack dynamic table indexing Moderate
GHSA-6w86-wgwq-rgq8 was published for neqo-qpack (Rust) Mar 4, 2026
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher Moderate
CVE-2026-27898 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role High
CVE-2026-27803 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager High
CVE-2026-27802 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
Vaultwarden has 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement Moderate
CVE-2026-27801 was published for vaultwarden (Rust) Mar 4, 2026
d-xuan Credited to d-xuan, BlackDex, and dani-garcia BlackDex BlackDex
dani-garcia dani-garcia
AWS-LC has PKCS7_verify Signature Validation Bypass High
GHSA-hfpc-8r3f-gw53 was published for aws-lc-sys (Rust) Mar 3, 2026
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification High
GHSA-65p9-r9h6-22vj was published for aws-lc-fips-sys (Rust) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database