Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,036
Maven
5,000+
npm
4,773
NuGet
824
pip
4,378
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,143 advisories

Loading
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga
Credited to naoyashiga
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee
Credited to nikeee
hexchat crate has a Use After Free vulnerability High
GHSA-x43w-ph7m-pfjx was published for hexchat (Rust) Feb 25, 2026
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance Moderate
CVE-2026-27572 was published for wasmtime (Rust) Feb 24, 2026
alexcrichton
Credited to alexcrichton
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion Moderate
CVE-2026-27204 was published for wasmtime (Rust) Feb 24, 2026
mbund alexcrichton
pchickey
Credited to mbund, alexcrichton, and pchickey
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future Moderate
CVE-2026-27195 was published for wasmtime (Rust) Feb 24, 2026
dicej
Credited to dicej
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames Moderate
CVE-2026-27480 was published for static-web-server (Rust) Feb 20, 2026
naoyashiga joseluisq
Credited to naoyashiga and joseluisq
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-27190 was published for deno (Rust) Feb 19, 2026
jackhax
Credited to jackhax
PyO3 has type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature High
GHSA-47qc-857f-7w7f was published for pyo3 (Rust) Feb 19, 2026
Unsoundness in opt-in ARMv8 assembly backend for `keccak` Low
GHSA-3288-p39f-rqpv was published for keccak (Rust) Feb 19, 2026
Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass High
CVE-2026-26275 was published for httpsig-hyper (Rust) Feb 17, 2026
divi255
Credited to divi255
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide High
CVE-2026-26267 was published for soroban-sdk-macros (Rust) Feb 17, 2026
leighmcculloch mootz12
nan-zellic dmkozh
Credited to leighmcculloch, mootz12, nan-zellic, and dmkozh
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
rPGP's integrity protection of encrypted data was not always checked Moderate
GHSA-c7ph-f7jm-xv4w was published for pgp (Rust) Feb 13, 2026
rPGP affected by crash in message handling for deeply nested messages High
GHSA-8h58-w33p-wq3g was published for pgp (Rust) Feb 13, 2026
invd
Credited to invd
rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895 High
GHSA-7587-4wv6-m68m was published for pgp (Rust) Feb 13, 2026
invd
Credited to invd
Bug fixes in hpke-rs, hpke-rs-rust-crypto Moderate
GHSA-g433-pq76-6cmf was published for hpke-rs (Rust) Feb 13, 2026
Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq` Moderate
GHSA-435g-fcv3-8j26 was published for libcrux-ecdh (Rust) Feb 12, 2026
SurrealDB vulnerable to Denial of Service through scripting function memory edge case Moderate
GHSA-xx7m-69ff-9crp was published for surrealdb (Rust) Feb 12, 2026
LucyEgan
Credited to LucyEgan
`sha-rst` was removed from crates.io for malicious code Critical
GHSA-vgr2-r5hm-f6gf was published for sha-rst (Rust) Feb 12, 2026
`finch_cli_rust` was removed from crates.io for malicious code Critical
GHSA-6v2j-vr4h-f632 was published for finch_cli_rust (Rust) Feb 12, 2026
`finch-rst` was removed from crates.io for malicious code Critical
GHSA-xp79-9mxw-878j was published for finch-rst (Rust) Feb 12, 2026
`uniswap-utils` was removed from crates.io for malicious code Critical
GHSA-x468-phr8-h3p3 was published for uniswap-utils (Rust) Feb 6, 2026
`sha-rust` was removed from crates.io for malicious code Critical
GHSA-3mmg-7c2q-8938 was published for sha-rust (Rust) Feb 6, 2026
`finch-rust` was removed from crates.io for malicious code Critical
GHSA-f8h5-x737-x4xr was published for finch-rust (Rust) Feb 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database