GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
145 advisories
Filter by severity
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Moderate
CVE-2026-55374
was published
for
jleehr/canto-saas-api
(Composer)
Jun 19, 2026
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
Moderate
CVE-2026-47256
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/exporter/sentryexporter
(Go)
Jun 18, 2026
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
Moderate
CVE-2026-47767
was published
for
symfony/runtime
(Composer)
Jun 9, 2026
hermes-agent has an Injection issue
Moderate
CVE-2026-9366
was published
for
hermes-agent
(pip)
May 26, 2026
hermes-agent has an Injection issue
Moderate
CVE-2026-9353
was published
for
hermes-agent
(pip)
May 26, 2026
org.linlinjava:litemall-wx-api has an Injection issue
Moderate
CVE-2026-8771
was published
for
org.linlinjava:litemall-wx-api
(Maven)
May 18, 2026
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
Moderate
CVE-2026-44458
was published
for
hono
(npm)
May 9, 2026
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
Moderate
CVE-2026-44455
was published
for
hono
(npm)
May 6, 2026
SGLang has an Improper Input Validation/Injection Issue
Moderate
CVE-2026-7669
was published
for
sglang
(pip)
May 3, 2026
sqlite-mcp has an Injection issue
Moderate
CVE-2026-7206
was published
for
sqlite-mcp
(pip)
Apr 28, 2026
Dynamic-Datasource has an Injection vulnerability
Moderate
CVE-2026-7045
was published
for
com.baomidou:dynamic-datasource-spring
(Maven)
Apr 27, 2026
PicoClaw has an Injection issue in its Web Launcher Management Plane component
Moderate
CVE-2026-6987
was published
for
github.com/sipeed/picoclaw
(Go)
Apr 25, 2026
ShowDoc has an Injection vulnerability
Moderate
CVE-2026-6982
was published
for
showdoc/showdoc
(Composer)
Apr 25, 2026
i18next-locize-backend has URL Injection via Unsanitized Path Parameters
Moderate
CVE-2026-41885
was published
for
i18next-locize-backend
(npm)
Apr 22, 2026
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
Moderate
CVE-2026-41691
was published
for
i18next-http-backend
(npm)
Apr 22, 2026
AgentScope Vulnerable to Remote Code Injection
Moderate
CVE-2026-6603
was published
for
agentscope
(pip)
Apr 20, 2026
MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade
Moderate
CVE-2026-41319
was published
for
MailKit
(NuGet)
Apr 18, 2026
MetaGPT has an eval injection in metagpt/strategy/tot.py
Moderate
CVE-2026-6110
was published
for
metagpt
(pip)
Apr 12, 2026
PowerJob's GroovyEvaluator.evaluate endpoint vulnerable to code injection
Moderate
CVE-2026-5739
was published
for
tech.powerjob:powerjob-server-starter
(Maven)
Apr 7, 2026
PowerJob vulnerable to SQL injection
Moderate
CVE-2026-5736
was published
for
tech.powerjob:powerjob-server-starter
(Maven)
Apr 7, 2026
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Moderate
CVE-2026-35515
was published
for
@nestjs/core
(npm)
Apr 6, 2026
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Moderate
CVE-2026-34773
was published
for
electron
(npm)
Apr 3, 2026
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Moderate
CVE-2026-34767
was published
for
electron
(npm)
Apr 3, 2026
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
Moderate
CVE-2026-32695
was published
for
github.com/traefik/traefik/v2
(Go)
Mar 27, 2026
ProTip!
Advisories are also available from the
GraphQL API