Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,221 advisories

Loading
External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote... Critical Unreviewed
CVE-2026-8043 was published May 12, 2026
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) Critical
CVE-2026-45091 was published for io.github.davidalmeidac:sealed-env-core (Maven) May 12, 2026
davidalmeidac Credited to davidalmeidac
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action` Critical
CVE-2026-45087 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
A vulnerability has been identified in ROS# (All versions < V2.2.2). Affected versions contain a... Critical Unreviewed
CVE-2026-41551 was published May 12, 2026
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for... Critical Unreviewed
CVE-2026-7428 was published May 12, 2026
Insecure generation of credentials in the local SAT (Technical Support) access functionality of... Critical Unreviewed
CVE-2026-8072 was published May 12, 2026
Improper neutralization of special elements used in an SQL command ('SQL injection')... Critical Unreviewed
CVE-2025-6577 was published May 12, 2026
Affected devices do not properly validate and sanitize PLC/station name rendered on the ... Critical Unreviewed
CVE-2026-25786 was published May 12, 2026
Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on... Critical Unreviewed
CVE-2026-25787 was published May 12, 2026
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation.... Critical Unreviewed
CVE-2026-41872 was published May 12, 2026
Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user... Critical Unreviewed
CVE-2026-34263 was published May 12, 2026
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows... Critical Unreviewed
CVE-2026-34260 was published May 12, 2026
Reserved. Details will be published at disclosure. Critical Unreviewed
CVE-2026-45393 was published May 12, 2026
Reserved. Details will be published at disclosure. Critical Unreviewed
CVE-2026-45391 was published May 12, 2026
Reserved. Details will be published at disclosure. Critical Unreviewed
CVE-2026-45392 was published May 12, 2026
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys Critical
CVE-2026-45321 was published for @tanstack/arktype-adapter (npm) May 12, 2026
ashishkurmi Credited to ashishkurmi
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied... Critical Unreviewed
CVE-2026-38567 was published May 11, 2026
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared... Critical Unreviewed
CVE-2026-7813 was published May 11, 2026
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation Critical
CVE-2026-27478 was published for io.unitycatalog:unitycatalog-server (Maven) May 11, 2026
lukas-reining Credited to lukas-reining
WebdriverIO BrowserStack Service has a Command Injection issue Critical
CVE-2026-25244 was published for @wdio/browserstack-service (npm) May 11, 2026
hayageek Credited to hayageek
torrentpier has PHP Serialize Injections Critical
GHSA-h29g-c9cx-c73q was published for torrentpier/torrentpier (Composer) May 11, 2026
PhpSecure Credited to PhpSecure
Angular Expressions - Remote Code Execution using filters Critical
CVE-2026-44643 was published for angular-expressions (npm) May 11, 2026
CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE Critical
CVE-2026-44477 was published for github.com/cloudnative-pg/cloudnative-pg (Go) May 11, 2026
mdisec Credited to mdisec
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database