Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,185 advisories

Loading
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint Low
GHSA-7qx6-f23w-3w7f was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
wooseokdotkim Credited to wooseokdotkim
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page Low
CVE-2026-34454 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 14, 2026
bella-WI Credited to bella-WI and cschrewing-WI cschrewing-WI cschrewing-WI
Multiple security fixes in justhtml Low
GHSA-4p64-v8f5-r2gx was published for justhtml (pip) Apr 14, 2026
EmilStenstrom Credited to EmilStenstrom
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID Low
GHSA-9pm8-vwc5-w2hm was published for fat_free_crm (RubyGems) Apr 14, 2026
bgeesaman Credited to bgeesaman
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler Low
GHSA-3jp4-mhh4-gcgr was published for kimai/kimai (Composer) Apr 14, 2026
morimori-dev Credited to morimori-dev
Rand is unsound with a custom logger using rand::rng() Low
GHSA-cq8v-f236-94qc was published for rand (Rust) Apr 14, 2026
simonhollingshead Credited to simonhollingshead, ShoyuVanilla, and nbagnard ShoyuVanilla ShoyuVanilla
nbagnard nbagnard
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments Low
CVE-2026-32270 was published for craftcms/commerce (Composer) Apr 14, 2026
tianluov Credited to tianluov
DbGate has cross site scripting via the SVG Icon String Handler component Low
CVE-2026-6216 was published for dbgate-web (npm) Apr 13, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel Low
CVE-2026-40263 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression Low
CVE-2026-6125 was published for org.dromara.warm:warm-flow-plugin-modes-sb (Maven) Apr 12, 2026
MetaGPT affected by server-side request forgery in metagpt/utils/common.py Low
CVE-2026-6111 was published for metagpt (pip) Apr 12, 2026
MetaGPT has an eval injection via a cross-site request forgery attack Low
CVE-2026-6109 was published for metagpt (pip) Apr 12, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Low
CVE-2026-40109 was published for github.com/fluxcd/notification-controller (Go) Apr 10, 2026
saroj345 Credited to saroj345
Step CA affected by an index out of bounds panic in TPM attestation EKU validation Low
CVE-2026-40097 was published for github.com/smallstep/certificates (Go) Apr 10, 2026
1seal Credited to 1seal
REDAXO has reflected XSS backend packages API via function parameter (CSRF token required) Low
GHSA-xq4j-g85q-wf97 was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required) Low
GHSA-m662-8jrj-cw6v was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
uv vulnerable to arbitrary file deletion through RECORD entries Low
GHSA-pjjw-68hj-v9mw was published for uv (pip) Apr 10, 2026
konstin Credited to konstin, zanieb, woodruffw, EliteTK, and CodeByMoriarty zanieb zanieb
woodruffw woodruffw EliteTK EliteTK CodeByMoriarty CodeByMoriarty
@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler Low
GHSA-59xv-588h-2vmm was published for @saltcorn/data (npm) Apr 10, 2026
zulloper Credited to zulloper
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter Low
CVE-2026-40077 was published for github.com/henrygd/beszel (Go) Apr 10, 2026
marduc812 Credited to marduc812, kodareef5, and lakshayyverma kodareef5 kodareef5
lakshayyverma lakshayyverma
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts Low
CVE-2026-6011 was published for openclaw (npm) Apr 10, 2026
OpenStack Keystone: Restricted application credentials can create EC2 credentials Low
CVE-2026-33551 was published for keystone (pip) Apr 10, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database