Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,980
Maven
5,000+
npm
4,634
NuGet
788
pip
4,321
Pub
12
RubyGems
986
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

26,073 advisories

Loading
Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC High
CVE-2026-26056 was published for github.com/yokecd/yoke (Go) Feb 12, 2026
b0b0haha lixingquzhi
Credited to b0b0haha and lixingquzhi
Unauthenticated Admission Webhook Endpoints in Yoke ATC High
CVE-2026-26055 was published for github.com/yokecd/yoke (Go) Feb 12, 2026
b0b0haha lixingquzhi
Credited to b0b0haha and lixingquzhi
golang.org/x/net/html has a Quadratic Parsing Complexity issue Moderate
CVE-2025-47911 was published for golang.org/x/net/html (Go) Feb 12, 2026
@farmfe/core is Missing Origin Validation in WebSocket Moderate
CVE-2025-56647 was published for @farmfe/core (npm) Feb 12, 2026
CediPay Affected by Improper Input Validation in Payment Processing High
CVE-2026-26063 was published for cedipay-core (npm) Feb 12, 2026
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie ljharb
Credited to SharokhAtaie and ljharb
XWiki vulnerable to click-jacking through CSS injection in comments Moderate
CVE-2026-26000 was published for org.xwiki.platform:xwiki-platform-web (Maven) Feb 12, 2026
keechy1231
Credited to keechy1231
Traefik: TCP readTimeout bypass via STARTTLS on Postgres High
CVE-2026-25949 was published for github.com/traefik/traefik/v3 (Go) Feb 12, 2026
manizada
Credited to manizada
FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP High
CVE-2026-24895 was published for github.com/dunglas/frankenphp (Go) Feb 12, 2026
AbdrrahimDahmani dunglas
Credited to AbdrrahimDahmani and dunglas
FrankenPHP leaks session data between requests in worker mode High
CVE-2026-24894 was published for github.com/dunglas/frankenphp (Go) Feb 12, 2026
xavierleune dunglas
Credited to xavierleune and dunglas
webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map Moderate
CVE-2026-21438 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
webtransport-go: CloseWithError can block indefinitely Moderate
CVE-2026-21435 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
webtransport-go: Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule Moderate
CVE-2026-21434 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
markdown-it is has a Regular Expression Denial of Service (ReDoS) Moderate
CVE-2026-2327 was published for markdown-it (npm) Feb 12, 2026
Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
CVE-2026-1669 was published for keras (pip) Feb 12, 2026
DiskCache has unsafe pickle deserialization Moderate
CVE-2025-69872 was published for diskcache (pip) Feb 11, 2026
ajv has ReDoS when using `$data` option Moderate
CVE-2025-69873 was published for ajv (npm) Feb 11, 2026
epoberezkin G-Rath
Credited to epoberezkin and G-Rath
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
CVE-2026-26190 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
Vikunja Vulnerable to XSS Via Task Preview High
CVE-2026-25935 was published for code.vikunja.io/api (Go) Feb 11, 2026
supercoolspy
Credited to supercoolspy
nanotar is vulnerable to path traversal in parseTar() and parseTarGzip() Moderate
CVE-2025-69874 was published for nanotar (npm) Feb 11, 2026
Statamic CMS vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-25759 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Statamic CMS's missing authorization allows access to assets Moderate
CVE-2026-25633 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Phraseanet vulnerable to stored cross-site scripting through crafted file names Moderate
CVE-2018-25157 was published for phraseanet/phraseanet (Composer) Feb 11, 2026
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions Moderate
CVE-2019-25317 was published for kimai/kimai (Composer) Feb 11, 2026
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database