Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

125,465 advisories

Loading
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
python-multipart has Denial of Service via unbounded multipart part headers High
CVE-2026-42561 was published for python-multipart (pip) May 6, 2026
SinhSinhAn Credited to SinhSinhAn and intadd intadd intadd
Flight vulnerable to sensitive information disclosure via default error handler High
CVE-2026-42552 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains High
CVE-2026-42304 was published for Twisted (pip) May 5, 2026
tomasilluminati Credited to tomasilluminati
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS High
CVE-2026-42587 was published for io.netty:netty-codec-http (Maven) May 7, 2026
offset Credited to offset
Netty has HttpClientCodec response desynchronization High
CVE-2026-42584 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty Lz4FrameDecoder is vulnerable to resource exhaustion High
CVE-2026-42583 was published for io.netty:netty-codec (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK literal unbounded allocation High
CVE-2026-42582 was published for io.netty:netty-codec-http3 (Maven) May 7, 2026
violetagg Credited to violetagg
Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder) High
CVE-2026-42579 was published for io.netty:netty-codec-dns (Maven) May 7, 2026
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass High
CVE-2026-42551 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete High
CVE-2026-42550 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() High
CVE-2026-42548 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql` High
CVE-2026-42031 was published for ckan (pip) Apr 29, 2026
ddd Credited to ddd
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up High
CVE-2026-45109 was published for next (npm) May 11, 2026
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor High
CVE-2026-45033 was published for @github/copilot (npm) May 11, 2026
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades High
CVE-2026-44578 was published for next (npm) May 11, 2026
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components High
CVE-2026-44579 was published for next (npm) May 11, 2026
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes High
CVE-2026-44575 was published for next (npm) May 11, 2026
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection High
CVE-2026-44574 was published for next (npm) May 11, 2026
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n High
CVE-2026-44573 was published for next (npm) May 11, 2026
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes High
CVE-2026-44665 was published for fast-xml-builder (npm) May 8, 2026
amitguptagwl Credited to amitguptagwl
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape High
CVE-2026-43998 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion High
CVE-2026-44004 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) High
CVE-2026-44001 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API High
CVE-2026-44432 was published for urllib3 (pip) May 11, 2026
kimkou2024 Credited to kimkou2024, Cycloctane, illia-v, and pquentin Cycloctane Cycloctane
illia-v illia-v pquentin pquentin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database