GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,034
Maven
5,000+
npm
4,769
NuGet
824
pip
4,375
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+
26,410 advisories
Filter by severity
Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure
Moderate
CVE-2026-27900
was published
for
github.com/linode/terraform-provider-linode
(Go)
Feb 26, 2026
pypdf: Manipulated FlateDecode XFA streams can exhaust RAM
Moderate
CVE-2026-27888
was published
for
pypdf
(pip)
Feb 26, 2026
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
Moderate
CVE-2026-27837
was published
for
dottie
(npm)
Feb 26, 2026
Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
High
CVE-2026-27465
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Moderate
CVE-2026-27457
was published
for
weblate
(pip)
Feb 26, 2026
Fleet: Authorization Bypass in certificate template batch deletion for team administrators
Moderate
CVE-2026-25963
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Moderate
CVE-2026-24004
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Fleet: Device lock PIN can be predicted if lock time is known
Moderate
CVE-2026-23999
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
n8n: Webhook Forgery on Github Webhook Trigger
Moderate
GHSA-mqpr-49jj-32rc
was published
for
n8n
(npm)
Feb 26, 2026
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes
Moderate
GHSA-f3f2-mcxc-pwjx
was published
for
n8n
(npm)
Feb 26, 2026
Vikunja has Path Traversal in CLI Restore
High
CVE-2026-27819
was published
for
code.vikunja.io/api
(Go)
Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
High
CVE-2026-27818
was published
for
terriajs-server
(npm)
Feb 26, 2026
psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps
Moderate
CVE-2026-27809
was published
for
psd-tools
(pip)
Feb 26, 2026
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Moderate
CVE-2026-27808
was published
for
github.com/axllent/mailpit
(Go)
Feb 26, 2026
mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries
Moderate
CVE-2026-27735
was published
for
mcp-server-git
(pip)
Feb 26, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking
High
CVE-2026-27148
was published
for
storybook
(npm)
Feb 26, 2026
Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter
Moderate
CVE-2026-26186
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Critical
CVE-2026-27804
was published
for
parse-server
(npm)
Feb 25, 2026
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover
Critical
CVE-2026-27822
was published
for
rustfs
(Rust)
Feb 25, 2026
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Moderate
CVE-2026-27795
was published
for
@langchain/community
(npm)
Feb 25, 2026
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
Moderate
CVE-2026-27794
was published
for
langgraph-checkpoint
(pip)
Feb 25, 2026
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
High
CVE-2026-27730
was published
for
github.com/esm-dev/esm.sh
(Go)
Feb 25, 2026
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Critical
CVE-2026-27739
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Moderate
CVE-2026-27738
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure
High
CVE-2026-27616
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
ProTip!
Advisories are also available from the
GraphQL API