Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,688
Maven
5,000+
npm
5,000+
NuGet
933
pip
4,925
Pub
13
RubyGems
1,053
Rust
1,321
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,138 advisories

Loading
Bagisto affected by Server-Side Request Forgery Low
CVE-2026-6744 was published for bagisto/bagisto (Composer) Apr 21, 2026
Bagisto affected by Cross-site Scripting Low
CVE-2026-6745 was published for bagisto/bagisto (Composer) Apr 21, 2026
Hugging Face Smolagents has an Injection issue Low
CVE-2026-4963 was published for smolagents (pip) Mar 27, 2026
aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221) Low
GHSA-7mw3-79jq-xc7f was published for aiograpi (pip) May 6, 2026
Duplicate Advisory: Grav has Insecure Deserialization in File Cache Low
GHSA-j7rw-325j-2rmx was published for getgrav/grav (Composer) Apr 29, 2026 withdrawn
xxl-job has a Resource Injection issue Low
CVE-2026-7303 was published for com.xuxueli:xxl-job-admin (Maven) Apr 29, 2026
rpassword affected by partial password reveal when input is interrupted Low
GHSA-2p6r-x3vv-xqm2 was published for rpassword (Rust) May 6, 2026
DevLaTron Credited to DevLaTron and squell squell squell
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests Low
CVE-2026-33658 was published for activestorage (RubyGems) Mar 25, 2026
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
Spring gRPC AuthenticationException messages are reflected to remote client Low
CVE-2026-40969 was published for org.springframework.grpc:spring-grpc (Maven) Apr 28, 2026
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header Low
CVE-2026-44242 was published for io.micronaut:micronaut-inject (Maven) May 6, 2026
offset Credited to offset
auto-favicon has a Server-Side Request Forgery issue Low
CVE-2026-7150 was published for auto-favicon (pip) Apr 27, 2026
mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true` Low
GHSA-r27j-894h-3w3p was published for icu-minify (npm) May 6, 2026
offset Credited to offset
vLLM makes Use of Uninitialized Resource Low
CVE-2026-7141 was published for vllm (pip) Apr 27, 2026
Wooey has an Incorrect Privilege Assignment issue Low
CVE-2026-7142 was published for wooey (pip) Apr 27, 2026
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks Low
GHSA-xx64-wwv2-hcqq was published for astral-tokio-tar (Rust) May 6, 2026
LawnGnome Credited to LawnGnome and woodruffw woodruffw woodruffw
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
CVE-2026-41913 was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) Low
CVE-2026-41915 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass Low
CVE-2026-41402 was published for openclaw (npm) Apr 2, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Low
CVE-2026-41377 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
ciguard: Web UI is missing HTTP defence-in-depth headers Low
GHSA-7ww3-xvf5-cxwm was published for ciguard (pip) May 5, 2026
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
ciguard: Container image runs as root (no USER directive) Low
CVE-2026-44218 was published for ciguard (pip) May 5, 2026
Ollama is Vulnerable to Path Traversal Low
CVE-2026-7020 was published for github.com/ollama/ollama (Go) Apr 26, 2026
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database