Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

474 advisories

Loading
Apache Livy: Restrict file access Moderate
CVE-2025-60012 was published for org.apache.livy:livy-server (Maven) Mar 13, 2026
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload Moderate
CVE-2026-30961 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes Moderate
CVE-2026-30915 was published for github.com/drakkan/sftpgo/v2 (Go) Mar 13, 2026
ImageMagick: Specially crafted SVG leads to segmentation fault and generate trash files in "/tmp", possible to leverage DoS Moderate
CVE-2023-1289 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
Im10n Credited to Im10n
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass Moderate
CVE-2026-32235 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval Moderate
CVE-2026-31959 was published for github.com/anchore/quill (Go) Mar 11, 2026
Envoy vulnerable to crash for scoped ip address during DNS Moderate
CVE-2026-26310 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
antoniovleonti Credited to antoniovleonti, agrawroh, botengyao, and phlax agrawroh agrawroh
botengyao botengyao phlax phlax
OliveTin has crash on NPE by calling APIs with invalid bindings or log references Moderate
GHSA-fwhj-785h-43hh was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
maru1009 Credited to maru1009
Agentgateway is missing parameter sanitization in MCP to OpenAPI conversion Moderate
CVE-2026-29791 was published for github.com/agentgateway/agentgateway (Go) Mar 5, 2026
n8n has a Guardrail Node Bypass Moderate
GHSA-fvfv-ppw4-7h2w was published for n8n (npm) Feb 26, 2026
akirilov Credited to akirilov
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Moderate
CVE-2026-27585 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
parrot409 Credited to parrot409
Apache Tomcat - Client certificate verification bypass Moderate
CVE-2025-66614 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
Bug fixes in hpke-rs, hpke-rs-rust-crypto Moderate
GHSA-g433-pq76-6cmf was published for hpke-rs (Rust) Feb 13, 2026
Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) Moderate
CVE-2026-25480 was published for litestar (pip) Feb 9, 2026
Sirdorblu Credited to Sirdorblu
[actix-files] Panic triggered by empty Range header in GET request for static file Moderate
GHSA-gcqf-3g44-vc9p was published for actix-files (Rust) Feb 6, 2026
Diomendius Credited to Diomendius and JohnTitor JohnTitor JohnTitor
n8n's domain allowlist bypass enables credential exfiltration Moderate
CVE-2026-25631 was published for n8n (npm) Feb 4, 2026
weblover12 Credited to weblover12
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation) Moderate
CVE-2026-24043 was published for jspdf (npm) Feb 2, 2026
KarimTantawey Credited to KarimTantawey
Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash Moderate
CVE-2026-23886 was published for github.com/swift-otel/swift-otel (Swift) Jan 21, 2026
czechboy0 Credited to czechboy0 and slashmo slashmo slashmo
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion Moderate
CVE-2025-15284 was published for qs (npm) Dec 30, 2025
samipmainali Credited to samipmainali and ljharb ljharb ljharb
ABP Account Module has an Open Redirect through Improper validation in its register function Moderate
CVE-2025-65581 was published for Volo.Abp.Account.Web (NuGet) Dec 16, 2025
FeehiCMS Has a Remote Code Execution via Unrestricted File Upload in Ad Management Moderate
CVE-2025-65657 was published for feehi/cms (Composer) Dec 2, 2025
mdast-util-to-hast has unsanitized class attribute Moderate
CVE-2025-66400 was published for mdast-util-to-hast (npm) Dec 2, 2025
Directus is Vulnerable to Stored Cross-site Scripting Moderate
CVE-2025-64747 was published for directus (npm) Nov 14, 2025
Cl0wnK1n9 Credited to Cl0wnK1n9
uv allows ZIP payload obfuscation through parsing differentials Moderate
GHSA-pqhf-p39g-3x64 was published for uv (pip) Oct 29, 2025
calebbrown Credited to calebbrown, woodruffw, and zanieb woodruffw woodruffw
zanieb zanieb
Astro's `X-Forwarded-Host` is reflected without validation Moderate
CVE-2025-61925 was published for astro (npm) Oct 10, 2025
Chisnet Credited to Chisnet
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database