GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
81 advisories
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
Low
CVE-2026-45723
was published
for
github.com/siderolabs/omni
(Go)
Jun 5, 2026
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection
Moderate
CVE-2026-47122
was published
for
github.com/sparkle-project/Sparkle
(Swift)
May 29, 2026
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
High
CVE-2026-42043
was published
for
axios
(npm)
May 5, 2026
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
High
CVE-2026-42313
was published
for
pyload-ng
(pip)
May 4, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
High
CVE-2026-40868
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Moderate
CVE-2026-39961
was published
for
github.com/aiven/aiven-operator
(Go)
Apr 10, 2026
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Moderate
CVE-2025-62718
was published
for
axios
(npm)
Apr 9, 2026
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
High
CVE-2026-27124
was published
for
fastmcp
(pip)
Mar 31, 2026
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Moderate
CVE-2026-33768
was published
for
@astrojs/vercel
(npm)
Mar 26, 2026
OliveTin's RestartAction always runs actions as guest
Moderate
CVE-2026-30225
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
Critical
CVE-2026-28466
was published
for
openclaw
(npm)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API