GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
122 advisories
Filter by severity
golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Moderate
CVE-2026-39835
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions
Moderate
CVE-2026-39828
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
Moderate
GHSA-r7g4-qg5f-qqm2
was published
for
nodemailer
(npm)
Jun 15, 2026
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS
Moderate
GHSA-rc6v-5rmx-w5mv
was published
for
github.com/arnika-project/arnika
(Go)
May 15, 2026
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth
Moderate
CVE-2026-6860
was published
for
io.vertx:vertx-core
(Maven)
May 9, 2026
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Moderate
CVE-2026-44309
was published
for
github.com/sigstore/gitsign
(Go)
May 8, 2026
OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured
Moderate
CVE-2026-44213
was published
for
OpenTelemetry.Exporter.Instana
(NuGet)
May 8, 2026
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
Moderate
CVE-2026-44312
was published
for
css_parser
(RubyGems)
May 7, 2026
misp-modules has nsafe remote resource fetching in expansion
Moderate
CVE-2026-44363
was published
for
misp-modules
(pip)
May 6, 2026
Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled
Moderate
CVE-2026-44305
was published
for
lemur
(pip)
May 6, 2026
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
Moderate
CVE-2026-42312
was published
for
pyload-ng
(pip)
May 4, 2026
apache-airflow-providers-smtp: No certificate validation on SMTP STARTTLS connections in SMTP provider
Moderate
CVE-2026-41016
was published
for
apache-airflow-providers-smtp
(pip)
Apr 30, 2026
CKAN has no certificate validation on STMP connection
Moderate
CVE-2026-41132
was published
for
ckan
(pip)
Apr 29, 2026
Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification
Moderate
CVE-2026-40974
was published
for
org.springframework.boot:spring-boot-cassandra
(Maven)
Apr 28, 2026
Spring Boot's RabbitMQ auto-configuration doesn't perform hostname verification when connecting to the RabbitMQ broker
Moderate
CVE-2026-40971
was published
for
org.springframework.boot:spring-boot-rabbitmq
(Maven)
Apr 28, 2026
Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.
Moderate
CVE-2026-40970
was published
for
org.springframework.boot:spring-boot-elasticsearch
(Maven)
Apr 27, 2026
Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade
Moderate
CVE-2026-40557
was published
for
org.apache.storm:storm-metrics-prometheus
(Maven)
Apr 27, 2026
Sigstore Timestamp Authority has Improper Certificate Validation in verifier
Moderate
CVE-2026-39984
was published
for
github.com/sigstore/timestamp-authority/v2
(Go)
Apr 14, 2026
rfc3161-client Has Improper Certificate Validation
Moderate
CVE-2026-33753
was published
for
rfc3161-client
(pip)
Apr 8, 2026
Tesla Fleet Telemetry allows spoofing telemetry for arbitrary vehicles via compromised vehicle credentials
Moderate
GHSA-prxj-3gcv-cqrh
was published
for
github.com/teslamotors/fleet-telemetry
(Go)
Apr 1, 2026
Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange
Moderate
CVE-2026-32794
was published
for
apache-airflow
(pip)
Mar 31, 2026
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
Moderate
CVE-2026-33248
was published
for
github.com/nats-io/nats-server
(Go)
Mar 24, 2026
Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121
Moderate
GHSA-594f-3595-c47v
was published
for
github.com/argoproj-labs/terraform-provider-argocd
(Go)
Mar 18, 2026
OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)
Moderate
GHSA-2mc2-g238-722j
was published
for
openclaw
(npm)
Mar 3, 2026
Apache Tomcat - Client certificate verification bypass
Moderate
CVE-2025-66614
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
Feb 17, 2026
ProTip!
Advisories are also available from the
GraphQL API