Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10,081 advisories

Loading
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method High
CVE-2025-67030 was published for org.codehaus.plexus:plexus-utils (Maven) Mar 25, 2026
udengaardandersent-ELS Credited to udengaardandersent-ELS and timtebeek timtebeek timtebeek
Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers High
GHSA-2m67-wjpj-xhg9 was published for tools.jackson.core:jackson-core (Maven) Apr 4, 2026
anyzy2003 Credited to anyzy2003, Adrian-Hirt, and pjfanning Adrian-Hirt Adrian-Hirt
pjfanning pjfanning
RAGAS has an Arbitrary File Read vulnerability High
CVE-2025-45691 was published for ragas (pip) Mar 5, 2026
adithyan-ak Credited to adithyan-ak
Pretext: Algorithmic Complexity (DoS) in the text analysis phase High
GHSA-5478-66c3-rhxr was published for @chenglou/pretext (npm) Apr 8, 2026
NapongiZero Credited to NapongiZero
basic-ftp has FTP Command Injection via CRLF High
GHSA-chqc-8p9q-pq6q was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
AGiXT Vulnerable to Path Traversal in safe_join() High
GHSA-5gfj-64gh-mgmw was published for agixt (pip) Apr 8, 2026
YeranG30 Credited to YeranG30
Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens High
GHSA-349c-2h2f-mxf6 was published for laravel/passport (Composer) Apr 8, 2026
pushpak1300 Credited to pushpak1300
n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode High
GHSA-4ggg-h7ph-26qr was published for n8n-mcp (npm) Apr 8, 2026
ibrahmsql Credited to ibrahmsql
mercure has Topic Selector Cache Key Collision High
GHSA-hwr4-mq23-wcv5 was published for github.com/dunglas/mercure (Go) Apr 8, 2026
dunglas Credited to dunglas
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service High
GHSA-xrw6-gwf8-vvr9 was published for Tmds.DBus (NuGet) Apr 8, 2026
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API High
CVE-2026-33229 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 8, 2026
azefzafyoussef Credited to azefzafyoussef
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables High
CVE-2026-5795 was published for org.eclipse.jetty.ee10:jetty-ee10 (Maven) Apr 8, 2026
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution High
CVE-2026-31040 was published for stata-mcp (pip) Apr 8, 2026
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications High
CVE-2026-39885 was published for @frontmcp/adapters (npm) Apr 8, 2026
TharVid Credited to TharVid and frontegg-david frontegg-david frontegg-david
Apache Cassandra is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator High
CVE-2026-27314 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server High
CVE-2026-39889 was published for praisonai (pip) Apr 8, 2026
srisowmya2000 Credited to srisowmya2000
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation High
CVE-2026-4740 was published for open-cluster-management.io/ocm (Go) Apr 7, 2026
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions High
CVE-2026-2092 was published for org.keycloak:keycloak-saml-adapter-core (Maven) Mar 18, 2026
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit High
CVE-2026-27806 was published for github.com/fleetdm/fleet/v4 (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
ImageMagick has heap-buffer-overflow via signed integer overflow in WriteUHDRImage when writing UHDR images with large dimensions High
CVE-2026-25794 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 24, 2026
ylwango613 Credited to ylwango613
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation High
CVE-2026-3902 was published for Django (pip) Apr 7, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database