GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,340
Maven
5,000+
npm
5,000+
NuGet
1,033
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,498
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,376 advisories
Filter by severity
Skipper: Incomplete fix for CVE-2026-50197: an oversized body can bypass OPA deny-on-presence Rego policies
High
GHSA-8qqm-fp2q-v734
was published
for
github.com/zalando/skipper
(Go)
Jul 17, 2026
Skipper's routesrv-no-auth component: All routesrv API Endpoints Lack Authentication
Moderate
CVE-2026-54246
was published
for
github.com/zalando/skipper
(Go)
Jul 17, 2026
CloudTAK: Authenticated full-read SSRF in the /api/esri* routes — user-controlled URL fetched with no IP-classification guard
High
CVE-2026-55177
was published
for
@tak-ps/cloudtak
(npm)
Jul 17, 2026
PocketSphinx: Buffer overflows in language and acoustic model loading code
Moderate
CVE-2026-54559
was published
for
pocketsphinx
(pip)
Jul 17, 2026
AngleSharp HTML5 Spec Compliance: mXSS via annotation-xml HTML Integration Point Bypass
Moderate
CVE-2026-54570
was published
for
AngleSharp
(NuGet)
Jul 17, 2026
PRoot-Distro has Path Traversal in proot-distro copy — Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs
Moderate
GHSA-mfr4-mq8w-vmg6
was published
for
proot-distro
(pip)
Jul 17, 2026
ExifReader HEIC/AVIF ISO-BMFF parser throws uncaught RangeError on truncated boxes
Moderate
CVE-2026-53496
was published
for
exifreader
(npm)
Jul 17, 2026
Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)
High
CVE-2026-54567
was published
for
Flask-Reuploaded
(pip)
Jul 17, 2026
Prompty: Arbitrary code execution via JavaScript frontmatter in TypeScript loader
High
CVE-2026-53597
was published
for
@prompty/core
(npm)
Jul 17, 2026
Prompty: Arbitrary file read via file reference expansion
High
CVE-2026-53598
was published
for
@prompty/core
(npm)
Jul 17, 2026
mcp-memory-keeper: Arbitrary local file read in context_import via unvalidated filePath
Moderate
CVE-2026-54561
was published
for
mcp-memory-keeper
(npm)
Jul 17, 2026
Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration
Moderate
GHSA-cvpc-hccg-wmw4
was published
for
verbb/formie
(Composer)
Jul 17, 2026
Gitea has insufficient permission checks for Composer package source links
High
CVE-2026-27771
was published
for
code.gitea.io/gitea
(Go)
Jul 17, 2026
TAK-PS-Stats Web UI: Authenticated full-read SSRF in CloudTAK basemap import (PUT /api/basemap) — no IP-classification guard
Moderate
CVE-2026-54546
was published
for
@tak-ps/cloudtak
(npm)
Jul 17, 2026
oapi-codegen: OpenAPI Server Description Escapes Generated Go Comment and Injects Executable Code
Low
GHSA-rjwr-m7qx-3fjr
was published
for
github.com/oapi-codegen/oapi-codegen/v2
(Go)
Jul 17, 2026
meta-ads-mcp: X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token
High
CVE-2026-54547
was published
for
meta-ads-mcp
(pip)
Jul 17, 2026
meta-ads-mcp: Server-Side Request Forgery (SSRF) in `upload_ad_image` via Unrestricted `image_url` Fetch
High
CVE-2026-54549
was published
for
meta-ads-mcp
(pip)
Jul 17, 2026
sh _uid does not drop supplementary groups (incomplete privilege drop)
High
CVE-2026-54552
was published
for
sh
(pip)
Jul 17, 2026
AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
High
CVE-2026-11400
was published
for
software.amazon.jdbc:aws-advanced-jdbc-wrapper
(Maven)
Jul 17, 2026
plone.restapi: Stored XSS by spoofing mime type
Moderate
GHSA-8rqh-vxpr-x77p
was published
for
plone.restapi
(pip)
Jul 17, 2026
plone.app.textfield: Stored XSS by spoofing mime type
Moderate
CVE-2026-54503
was published
for
plone.app.textfield
(pip)
Jul 17, 2026
Skipper: Unbounded Request Body Read in Admission Webhook Causes Memory Exhaustion DoS
Moderate
CVE-2026-54247
was published
for
github.com/zalando/skipper
(Go)
Jul 17, 2026
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read
Moderate
CVE-2026-55646
was published
for
vllm
(pip)
Jul 17, 2026
vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
High
CVE-2026-55574
was published
for
vllm
(pip)
Jul 17, 2026
vLLM has Remote DoS via Invalid Recovered Token Reinjection
High
CVE-2026-54234
was published
for
vllm
(pip)
Jul 17, 2026
ProTip!
Advisories are also available from the
GraphQL API