Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

517 advisories

Loading
AWS SDK for .NET: Improper escaping of special characters in CloudFront policy document construction High
GHSA-mvm6-f9r3-fgfx was published for AWSSDK.CloudFront (NuGet) Mar 27, 2026
NATS has pre-auth server panic via leafnode handling High
CVE-2026-33218 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla and dderpym dderpym dderpym
AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities High
GHSA-443w-3rq3-5m5h was published for software.amazon.awssdk:cloudfront (Maven) Mar 27, 2026
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters High
GHSA-27qh-8cxx-2cr5 was published for aws/aws-sdk-php (Composer) Mar 27, 2026
FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP High
CVE-2026-24895 was published for github.com/dunglas/frankenphp (Go) Feb 12, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani and dunglas dunglas dunglas
Bug fixes in hpke-rs, hpke-rs-rust-crypto High
GHSA-g433-pq76-6cmf was published for hpke-rs (Rust) Feb 13, 2026
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern High
CVE-2026-33287 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash High
CVE-2026-33285 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
Potentially untrusted input is rendered as HTML in final output High
CVE-2024-26151 was published for mjml (pip) Feb 22, 2024
sh-at-cs Credited to sh-at-cs
Improper Input Validation in XFire High
CVE-2012-5817 was published for org.codehaus.xfire:xfire-core (Maven) May 17, 2022
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor High
CVE-2026-27953 was published for ormar (pip) Mar 19, 2026
Mistz1 Credited to Mistz1
ingress-nginx comment-based nginx configuration injection High
CVE-2026-4342 was published for k8s.io/ingress-nginx (Go) Mar 20, 2026
Apache Tomcat has an Improper Input Validation vulnerability High
CVE-2026-24734 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
TYPO3 Image Processing susceptible to Code Execution High
CVE-2019-11832 was published for typo3/cms (Composer) May 24, 2022
ohader Credited to ohader
Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded High
CVE-2024-3884 was published for io.undertow:undertow-core (Maven) Dec 3, 2025
aldexis Credited to aldexis and za-rudeboy za-rudeboy za-rudeboy
SMTP smuggling in Apache James High
CVE-2023-51747 was published for org.apache.james:james-server (Maven) Feb 27, 2024
oscerd Credited to oscerd
Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users High
CVE-2024-23320 was published for org.apache.dolphinscheduler:dolphinscheduler-master (Maven) Feb 23, 2024
westonsteimel Credited to westonsteimel
Black's vulnerable version parsing leads to RCE in GitHub Action High
CVE-2026-31900 was published for psf/black (GitHub Actions) Mar 7, 2026
ParzivalHack Credited to ParzivalHack
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation High
CVE-2026-26308 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
botengyao Credited to botengyao, phlax, and agrawroh phlax phlax
agrawroh agrawroh
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware High
CVE-2026-2880 was published for @fastify/middie (npm) Feb 28, 2026
tachote Credited to tachote, mcollina, UlisesGascon, and Eomm mcollina mcollina
UlisesGascon UlisesGascon Eomm Eomm
Go Ethereum affected by DoS via malicious p2p message High
CVE-2026-26314 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
XML Entity Expansion and Improper Input Validation in Kubernetes API server High
CVE-2019-11253 was published for k8s.io/kubernetes (Go) May 18, 2021
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport High
CVE-2026-27590 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
dunglas Credited to dunglas and AbdrrahimDahmani AbdrrahimDahmani AbdrrahimDahmani
Koa has Host Header Injection via ctx.hostname High
CVE-2026-27959 was published for koa (npm) Feb 26, 2026
p80n-sec Credited to p80n-sec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database