Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,799 advisories

Loading
Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure) Critical
GHSA-vg9h-jx4v-cwx2 was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team Credited to mobasi-team
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE Critical
CVE-2026-25539 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 29, 2026
thxtech Credited to thxtech
DotNetNuke.Core Vulnerable to Stored XSS via Module Title Critical
CVE-2026-24838 was published for DotNetNuke.Core (NuGet) Jan 28, 2026
bdukes Credited to bdukes
Cap'n Proto has Undefined Behavior in constant::Reader and StructSchema Critical
GHSA-5w5r-mf82-595p was published for capnp (Rust) Jan 28, 2026
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor Critical
CVE-2026-23830 was published for @nyariv/sandboxjs (npm) Jan 27, 2026
nyxsorcerer Credited to nyxsorcerer
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Critical
CVE-2026-22039 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev Credited to thevilledev
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution Critical
CVE-2026-1470 was published for n8n (npm) Jan 27, 2026
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE Critical
GHSA-cr3w-cw5w-h3fj was published for @saltcorn/server (npm) Jan 26, 2026
Mathis-Z Credited to Mathis-Z
vm2 has a Sandbox Escape Critical
CVE-2026-22709 was published for vm2 (npm) Jan 26, 2026
dcap-qvl has Missing Verification for QE Identity Critical
CVE-2026-22696 was published for @phala/dcap-qvl (npm) Jan 26, 2026
Apache Continuum vulnerable to Command Injection through Installations REST API Critical
CVE-2016-15057 was published for org.apache.continuum:continuum (Maven) Jan 26, 2026
sm-crypto Affected by Private Key Recovery in SM2-PKE Critical
CVE-2026-23966 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam Credited to XlabAITeam, A7um, tl2cents, and keenanwgn A7um A7um
tl2cents tl2cents keenanwgn keenanwgn
Laravel Redis Horizontal Scaling Insecure Deserialization Critical
CVE-2026-23524 was published for laravel/reverb (Composer) Jan 21, 2026
m0h4mmad Credited to m0h4mmad
Orval has a code injection via unsanitized x-enum-descriptions in enum generation Critical
CVE-2026-23947 was published for @orval/core (npm) Jan 21, 2026
k14uz Credited to k14uz and ZipJo ZipJo ZipJo
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment Critical
CVE-2026-23518 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
kevinleturc Credited to kevinleturc
XDocReport affected by an XML External Entity (XXE) vulnerability Critical
CVE-2025-65482 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.document (Maven) Jan 20, 2026
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) Critical
CVE-2026-23733 was published for @lobehub/chat (npm) Jan 20, 2026
c2an1 Credited to c2an1
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp Credited to evrardjp, budimanjojo, and gusfcarvalho budimanjojo budimanjojo
gusfcarvalho gusfcarvalho
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1 Credited to c2an1
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
CVE-2026-26216 was published for Crawl4AI (pip) Jan 16, 2026
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs Critical
CVE-2026-26217 was published for crawl4ai (pip) Jan 16, 2026
Deno node:crypto doesn't finalize cipher Critical
CVE-2026-22863 was published for deno (Rust) Jan 16, 2026
davidebombelli Credited to davidebombelli, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE Critical
CVE-2026-23520 was published for github.com/getarcaneapp/arcane/backend (Go) Jan 15, 2026
DenizParlak Credited to DenizParlak
enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain Critical
CVE-2026-22686 was published for enclave-vm (npm) Jan 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database