GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,103
Maven
5,000+
npm
4,996
NuGet
826
pip
4,426
Pub
12
RubyGems
988
Rust
1,170
Swift
50
Unreviewed advisories
All unreviewed
5,000+
319,206 advisories
Filter by severity
Keycloak SAML Broken has Authentication Bypass by Primary Weakness
High
CVE-2026-3047
was published
for
org.keycloak:keycloak-broker-saml
(Maven)
Mar 5, 2026
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
High
CVE-2026-3009
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 5, 2026
RAGAS has an Arbitrary File Read vulnerability
High
CVE-2025-45691
was published
for
ragas
(pip)
Mar 5, 2026
Flowise Missing Authentication on NVIDIA NIM Endpoints
High
CVE-2026-30824
was published
for
flowise
(npm)
Mar 6, 2026
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
High
CVE-2026-30823
was published
for
flowise
(npm)
Mar 6, 2026
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
High
CVE-2026-30822
was published
for
flowise
(npm)
Mar 6, 2026
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
Critical
CVE-2026-30832
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 6, 2026
Zarf's symlink targets in archives are not validated against destination directory
High
CVE-2026-29064
was published
for
github.com/zarf-dev/zarf/src/pkg/archive
(Go)
Mar 6, 2026
CoreDNS Loop Detection Denial of Service Vulnerability
High
CVE-2026-26018
was published
for
github.com/coredns/coredns
(Go)
Mar 6, 2026
Traefik has an Improper Certificate Handling issue
Moderate
CVE-2020-9321
was published
for
github.com/traefik/traefik
(Go)
Sep 2, 2021
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
Low
CVE-2026-27942
was published
for
fast-xml-parser
(npm)
Feb 26, 2026
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
High
CVE-2026-29074
was published
for
svgo
(npm)
Mar 4, 2026
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
Critical
CVE-2026-29183
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 4, 2026
jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
High
CVE-2026-29062
was published
for
tools.jackson.core:jackson-core
(Maven)
Mar 4, 2026
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access
Moderate
CVE-2026-29073
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 3, 2026
changedetection.io has Zip Slip vulnerability in the backup restore functionality
High
CVE-2026-29065
was published
for
changedetection.io
(pip)
Mar 4, 2026
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
High
CVE-2026-29042
was published
for
github.com/nuclio/nuclio
(Go)
Mar 4, 2026
changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text()
High
CVE-2026-29039
was published
for
changedetection.io
(pip)
Mar 4, 2026
changedetection.io has Reflected XSS in its RSS Tag Error Response
Moderate
CVE-2026-29038
was published
for
changedetection.io
(pip)
Mar 4, 2026
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification
High
CVE-2026-28802
was published
for
authlib
(pip)
Mar 4, 2026
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Critical
CVE-2026-29058
was published
for
wwbn/avideo
(Composer)
Mar 3, 2026
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
Moderate
CVE-2026-29049
was published
for
chainguard.dev/melange
(Go)
Mar 2, 2026
pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams
Moderate
CVE-2026-28804
was published
for
pypdf
(pip)
Mar 2, 2026
OpenChatBI has a Path Traversal Vulnerability in save_report Tool
High
CVE-2026-28795
was published
for
openchatbi
(pip)
Mar 2, 2026
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
High
CVE-2026-28438
was published
for
cocoindex
(pip)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API