GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
13 advisories
Filter by severity
Mitmweb API Authentication Bypass Using Proxy Server
High
CVE-2025-23217
was published
for
mitmproxy
(pip)
Feb 6, 2025
code-server's session cookie can be extracted by having user visit specially crafted proxy URL
High
CVE-2025-47269
was published
for
code-server
(npm)
May 9, 2025
Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access
High
CVE-2025-11393
was published
for
github.com/RedHatInsights/runtimes-inventory-operator
(Go)
Dec 15, 2025
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
High
CVE-2026-24470
was published
for
github.com/zalando/skipper
(Go)
Jan 26, 2026
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions
High
GHSA-3v2x-9xcv-2v2v
was published
for
surrealdb
(Rust)
Jan 22, 2026
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
High
CVE-2026-27124
was published
for
fastmcp
(pip)
Mar 31, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
High
CVE-2026-40868
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
High
CVE-2026-42043
was published
for
axios
(npm)
May 5, 2026
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
High
CVE-2026-42313
was published
for
pyload-ng
(pip)
May 4, 2026
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
High
CVE-2026-44494
was published
for
axios
(npm)
May 29, 2026
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)
High
CVE-2026-53999
was published
for
github.com/radius-project/radius
(Go)
Jun 12, 2026
Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
High
CVE-2026-55225
was published
for
io.strimzi:strimzi
(Maven)
Jun 18, 2026
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
High
CVE-2026-49821
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
ProTip!
Advisories are also available from the
GraphQL API