GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,340
Maven
5,000+
npm
5,000+
NuGet
1,033
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,498
Swift
61
Unreviewed advisories
All unreviewed
5,000+
164,179 advisories
Filter by severity
n8n: Webhook Forgery on Github Webhook Trigger
Moderate
CVE-2026-56357
was published
for
n8n
(npm)
Feb 26, 2026
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
Moderate
CVE-2026-54911
was published
for
ujson
(pip)
Jun 19, 2026
WebOb: Location header normalization during redirect leads to open redirect - again
Moderate
CVE-2026-44889
was published
for
webob
(pip)
Jun 4, 2026
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length
Moderate
CVE-2025-71339
was published
for
picklescan
(pip)
Dec 30, 2025
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
Moderate
CVE-2026-48067
was published
for
filament/actions
(Composer)
Jun 11, 2026
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
Moderate
CVE-2026-44311
was published
for
fabric
(npm)
Jun 12, 2026
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
Moderate
CVE-2026-41479
was published
for
authlib
(pip)
Jun 8, 2026
Astro: XSS via Unescaped Attribute Names in Spread Props
Moderate
CVE-2026-54298
was published
for
astro
(npm)
Jun 16, 2026
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
Moderate
CVE-2026-54300
was published
for
@astrojs/netlify
(npm)
Jun 16, 2026
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Moderate
CVE-2026-56664
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
katello: missing repository authorization in content_uploads exposes cross-product content existence
Moderate
CVE-2026-12515
was published
for
katello
(RubyGems)
Jun 17, 2026
decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds
Moderate
CVE-2024-45594
was published
for
decidim-meetings
(RubyGems)
Nov 13, 2024
SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when...
Moderate
Unreviewed
CVE-2025-71393
was published
Jul 18, 2026
SurrealDB before 2.2.6, 2.3.6, and 2.1.8 (and 3.0.0-alpha.7 and earlier) fails to validate DNS...
Moderate
Unreviewed
CVE-2025-71390
was published
Jul 18, 2026
SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated...
Moderate
Unreviewed
CVE-2025-71398
was published
Jul 18, 2026
SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that...
Moderate
Unreviewed
CVE-2024-58358
was published
Jul 18, 2026
SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches...
Moderate
Unreviewed
CVE-2024-58363
was published
Jul 18, 2026
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function...
Moderate
Unreviewed
CVE-2026-16084
was published
Jul 18, 2026
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function...
Moderate
Unreviewed
CVE-2026-16083
was published
Jul 18, 2026
The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery...
Moderate
Unreviewed
CVE-2026-9734
was published
Jul 18, 2026
barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent...
Moderate
Unreviewed
CVE-2026-34961
was published
May 12, 2026
barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory...
Moderate
Unreviewed
CVE-2026-34962
was published
May 12, 2026
Authentication bypass using an alternate path or channel in Microsoft Edge (Chromium-based)...
Moderate
Unreviewed
CVE-2026-57980
was published
Jul 18, 2026
Skipper's routesrv-no-auth component: All routesrv API Endpoints Lack Authentication
Moderate
CVE-2026-54246
was published
for
github.com/zalando/skipper
(Go)
Jul 17, 2026
IBM Security Verify could allow a remote attacker to obtain sensitive information when a detailed...
Moderate
Unreviewed
CVE-2026-8861
was published
Jul 17, 2026
ProTip!
Advisories are also available from the
GraphQL API