Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,221 advisories

Loading
Spring Cloud Config vulnerable to Path Traversal Critical
CVE-2026-40982 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution Critical
CVE-2026-44007 was published for vm2 (npm) May 7, 2026
akshatgit Credited to akshatgit
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
vm2 Access to Host Object Enables Sandbox Escape Critical
CVE-2026-43997 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
vm2 has a Sandbox Escape Vulnerability Critical
CVE-2026-44006 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion Critical
CVE-2026-44542 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
Yesuhei Credited to Yesuhei
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook Critical
CVE-2026-42596 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
R1ZZG0D Credited to R1ZZG0D
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Compromise of PyTorch Lightning PyPi Package Versions Critical
CVE-2026-44484 was published for pytorch-lightning (pip) May 7, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
misp-modules website - Missing CSRF protection in the website home blueprint Critical
CVE-2026-44364 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users Critical
CVE-2026-42555 was published for com.ritense.valtimo:case (Maven) May 6, 2026
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where... Critical Unreviewed
CVE-2026-43578 was published May 6, 2026
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox... Critical Unreviewed
CVE-2026-43581 was published May 6, 2026
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in... Critical Unreviewed
CVE-2026-43575 was published May 6, 2026
Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-cjg8-85gj-v9q2 was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation Critical
GHSA-m8wm-r5vq-qjpg was published for openclaw (npm) May 6, 2026 withdrawn
Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to... Critical Unreviewed
CVE-2026-7908 was published May 6, 2026
Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had... Critical Unreviewed
CVE-2026-7910 was published May 6, 2026
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal)... Critical Unreviewed
CVE-2026-0300 was published May 6, 2026
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
GHSA-289f-fq7w-6q2w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database