Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,799 advisories

Loading
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen Credited to AlbertSPedersen
UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation Critical
CVE-2025-68924 was published for UmbracoForms (NuGet) Jan 13, 2026
chudyPB Credited to chudyPB
orval MCP client is vulnerable to a code injection attack. Critical
CVE-2026-22785 was published for @orval/mcp (npm) Jan 13, 2026
nirhaas Credited to nirhaas
openc3-api Vulnerable to Unauthenticated Remote Code Execution Critical
CVE-2025-68271 was published for openc3 (RubyGems) Jan 13, 2026
GhostPowerShell Credited to GhostPowerShell
Salesforce Uni2TS has a Code Injection vulnerability Critical
CVE-2026-22584 was published for uni2ts (pip) Jan 10, 2026
augustocesarperin Credited to augustocesarperin
WeKnora has Command Injection in MCP stdio test Critical
CVE-2026-22688 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
im-soohyun Credited to im-soohyun
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService Critical
CVE-2025-65091 was published for org.xwiki.contrib:macro-fullcalendar-pom (Maven) Jan 9, 2026
FASTJSON Includes Functionality from Untrusted Control Sphere Critical
CVE-2025-70974 was published for com.alibaba:fastjson (Maven) Jan 9, 2026
React Router has Path Traversal in File Session Storage Critical
CVE-2025-61686 was published for @react-router/node (npm) Jan 8, 2026
zaddy6 Credited to zaddy6
wolfSSL Python module vulnerable to Improper Authentication Critical
CVE-2025-15346 was published for wolfssl (pip) Jan 8, 2026
rhdesmond Credited to rhdesmond
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling Critical
CVE-2026-21858 was published for n8n (npm) Jan 7, 2026
dorattias Credited to dorattias
terminal-controller-mcp vulnerable to Command Injection Critical
CVE-2025-61492 was published for terminal-controller (pip) Jan 7, 2026
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests Critical
CVE-2025-12543 was published for io.undertow:undertow-core (Maven) Jan 7, 2026
aldexis Credited to aldexis and dpogorelov dpogorelov dpogorelov
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
Bypassing Kyverno Policies via Double Policy Exceptions Critical
GHSA-gg4x-fgg2-h9w9 was published for github.com/kyverno/kyverno (Go) Jan 6, 2026
r0binak Credited to r0binak
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux Credited to theolelasseux
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer Critical
CVE-2025-62877 was published for github.com/harvester/harvester-installer (Go) Jan 5, 2026
jsPDF has Local File Inclusion/Path Traversal vulnerability Critical
CVE-2025-68428 was published for jspdf (npm) Jan 5, 2026
kilkat Credited to kilkat
AdonisJS Path Traversal in Multipart File Handling Critical
CVE-2026-21440 was published for @adonisjs/bodyparser (npm) Jan 2, 2026
wodzen Credited to wodzen
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling Critical
CVE-2025-68620 was published for signalk-server (npm) Jan 2, 2026
atsc11 Credited to atsc11
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
RustFS has a gRPC Hardcoded Token Authentication Bypass Critical
CVE-2025-68926 was published for rustfs (Rust) Dec 30, 2025
apidoc-core has a prototype pollution vulnerability Critical
CVE-2025-13158 was published for apidoc-core (npm) Dec 26, 2025
n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node Critical
CVE-2025-68668 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu Credited to berkdedekarginoglu, VladimirEliTokarev, Ofekitach, and nnfrog VladimirEliTokarev VladimirEliTokarev
Ofekitach Ofekitach nnfrog nnfrog
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs Critical
CVE-2025-68664 was published for langchain-core (pip) Dec 23, 2025
0xn3va Credited to 0xn3va, yardenporat353, VladimirEliTokarev, eyurtsev, ccurme, mdrxy, and hntrl yardenporat353 yardenporat353
VladimirEliTokarev VladimirEliTokarev eyurtsev eyurtsev ccurme ccurme mdrxy mdrxy hntrl hntrl
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database