Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

32,526 advisories

Loading
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config High
GHSA-qrv3-253h-g69c was published for pnpm (npm) Jun 27, 2026
5h1kh4r Credited to 5h1kh4r
pnpm: `patch-remove` could delete project-selected files outside the patches directory High
GHSA-72r4-9c5j-mj57 was published for pnpm (npm) Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules High
GHSA-fr4h-3cph-29xv was published for pnpm (npm) Jun 27, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal High
CVE-2026-55700 was published for pnpm (npm) Jun 26, 2026
pnpm: Reserved bin name deletes PNPM_HOME during global remove Moderate
CVE-2026-55699 was published for pnpm (npm) Jun 26, 2026
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes High
CVE-2026-55698 was published for pnpm (npm) Jun 26, 2026
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) High
CVE-2026-49338 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists High
CVE-2026-49339 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host High
CVE-2026-49340 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
pnpm: Repository-controlled configDependencies can select a pacquet native install engine High
CVE-2026-55697 was published for pnpm (npm) Jun 26, 2026
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run Moderate
CVE-2026-55180 was published for pnpm (npm) Jun 26, 2026
mldangelo-oai Credited to mldangelo-oai
ImageMagick has a Heap Buffer Over-Write in SF3 encoder when writing multi-frame image Moderate
CVE-2026-53465 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 26, 2026
007bsd Credited to 007bsd
ImageMagick: Memory Leak in wand option parser when providing invalid arguments Moderate
CVE-2026-53464 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 26, 2026
007bsd Credited to 007bsd
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection Moderate
CVE-2026-53523 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS Moderate
CVE-2026-53522 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Statamic Vulnerable to CSV formula injection in form submission exports Moderate
CVE-2026-54243 was published for statamic/cms (Composer) Jun 26, 2026
kah-ja Credited to kah-ja
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context Moderate
CVE-2026-53521 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
baradika Credited to baradika
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) High
CVE-2026-50015 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry Moderate
CVE-2026-50017 was published for pnpm (npm) Jun 26, 2026
mosskappa Credited to mosskappa
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database