GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
23 advisories
Filter by severity
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Moderate
CVE-2020-5412
was published
for
org.springframework.cloud:spring-cloud-netflix
(Maven)
Apr 30, 2021
Unchecked hostname resolution could allow access to local network resources by users outside the local network
Moderate
GHSA-6rg3-8h8x-5xfv
was published
for
github.com/pterodactyl/wings
(Go)
Jun 23, 2021
Confused Deputy in Kubernetes
Moderate
CVE-2020-8561
was published
for
k8s.io/kubernetes
(Go)
Sep 21, 2021
Jenkins Publisher Over CIFS Plugin confused deputy vulnerability
Moderate
CVE-2018-1999038
was published
for
org.jenkins-ci.plugins:publish-over-cifs
(Maven)
May 14, 2022
Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull
Moderate
CVE-2024-34068
was published
for
github.com/pterodactyl/wings
(Go)
May 3, 2024
kro Confused Deputy vulnerability
Moderate
CVE-2025-48710
was published
for
github.com/kro-run/kro
(Go)
Jun 4, 2025
marimo vulnerable to proxy abuse of /mpl/{port}/
Moderate
GHSA-xjv7-6w92-42r7
was published
for
marimo
(pip)
Oct 1, 2025
Rack has a Possible Information Disclosure Vulnerability
Moderate
CVE-2025-61780
was published
for
rack
(RubyGems)
Oct 10, 2025
fastify-reply-from affected by bypass of reply forwarding
Moderate
CVE-2025-66415
was published
for
@fastify/reply-from
(npm)
Dec 2, 2025
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries
Moderate
CVE-2025-68944
was published
for
code.gitea.io/gitea
(Go)
Dec 26, 2025
OliveTin's RestartAction always runs actions as guest
Moderate
CVE-2026-30225
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Moderate
CVE-2026-33768
was published
for
@astrojs/vercel
(npm)
Mar 26, 2026
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Moderate
CVE-2025-62718
was published
for
axios
(npm)
Apr 9, 2026
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Moderate
CVE-2026-39961
was published
for
github.com/aiven/aiven-operator
(Go)
Apr 10, 2026
Kratos has a Confused Deputy issue
Moderate
CVE-2026-6993
was published
for
github.com/go-kratos/kratos/v2
(Go)
Apr 25, 2026
Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API
Moderate
GHSA-8pf2-vj79-4wxg
was published
for
openclaw
(npm)
Apr 28, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
Moderate
GHSA-4mhr-cxr4-2prm
was published
for
openclaw
(npm)
May 11, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
Moderate
GHSA-5jgm-f9wr-9qm7
was published
for
openclaw
(npm)
May 11, 2026
•
withdrawn
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection
Moderate
CVE-2026-47122
was published
for
github.com/sparkle-project/Sparkle
(Swift)
May 29, 2026
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
Moderate
CVE-2026-50169
was published
for
@angular/service-worker
(npm)
Jun 15, 2026
PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes
Moderate
CVE-2026-48522
was published
for
PyJWT
(pip)
Jun 15, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Moderate
CVE-2026-53931
was published
for
nocodb
(npm)
Jun 17, 2026
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
ProTip!
Advisories are also available from the
GraphQL API