Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

419 advisories

Loading
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection') Moderate
CVE-2026-35515 was published for @nestjs/core (npm) Apr 6, 2026
aleister1102 Credited to aleister1102
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows Moderate
CVE-2026-34773 was published for electron (npm) Apr 3, 2026
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest Moderate
CVE-2026-34767 was published for electron (npm) Apr 3, 2026
fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function Low
CVE-2026-5327 was published for fast-filesystem-mcp (npm) Apr 2, 2026
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters High
GHSA-27qh-8cxx-2cr5 was published for aws/aws-sdk-php (Composer) Mar 27, 2026
act: Unrestricted set-env and add-path command processing enables environment injection High
CVE-2026-34041 was published for github.com/nektos/act (Go) Mar 27, 2026
golang-not-rust Credited to golang-not-rust
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass Moderate
CVE-2026-32695 was published for github.com/traefik/traefik/v2 (Go) Mar 27, 2026
b-hermes Credited to b-hermes
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters High
CVE-2026-22744 was published for org.springframework.ai:spring-ai-redis-store (Maven) Mar 27, 2026
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API High
CVE-2026-30932 was published for froxlor/froxlor (Composer) Mar 24, 2026
q1uf3ng Credited to q1uf3ng
Rails Active Storage has possible glob injection in its DiskService Moderate
CVE-2026-33202 was published for activestorage (RubyGems) Mar 23, 2026
MindSQL is vulnerable to Code Injection through its ask_db function Low
CVE-2026-4506 was published for mindsql (pip) Mar 21, 2026
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) Moderate
GHSA-4hxc-9384-m385 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
Vanna has a SQL injection in the remove_training_data function Moderate
CVE-2026-4229 was published for vanna (pip) Mar 16, 2026
Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
GHSA-wgx8-r9vw-2w4h was published for openclaw (npm) Mar 12, 2026 withdrawn
Tornado has incomplete validation of cookie attributes Moderate
GHSA-78cv-mqj4-43f7 was published for tornado (pip) Mar 11, 2026
DHIRAL2908 Credited to DHIRAL2908
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values Moderate
CVE-2026-29777 was published for github.com/traefik/traefik (Go) Mar 11, 2026
1seal Credited to 1seal
Caddy's vars_regexp double-expands user input, leaking env vars and files Moderate
CVE-2026-30852 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp (Go) Mar 6, 2026
sammiee5311 Credited to sammiee5311
@perfood/couch-auth has a host header injection vulnerability Moderate
CVE-2025-70948 was published for @perfood/couch-auth (npm) Mar 5, 2026
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution High
CVE-2026-29186 was published for @backstage/plugin-techdocs-node (npm) Mar 5, 2026
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() Moderate
CVE-2026-29085 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
MCP NMAP Server has an Injection vulnerability Moderate
CVE-2026-3484 was published for mcp-nmap-server (npm) Mar 3, 2026
Ghost Vulnerable to Remote Code Execution via Malicious Themes High
CVE-2026-29053 was published for ghost (npm) Mar 3, 2026
cristianstaicu Credited to cristianstaicu
Koa has Host Header Injection via ctx.hostname High
CVE-2026-27959 was published for koa (npm) Feb 26, 2026
p80n-sec Credited to p80n-sec
Storybook Dev Server is Vulnerable to WebSocket Hijacking High
CVE-2026-27148 was published for storybook (npm) Feb 26, 2026
Aikido-Security Credited to Aikido-Security, reindaelman, grumpinout1, and JorianWoltjer reindaelman reindaelman
grumpinout1 grumpinout1 JorianWoltjer JorianWoltjer
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution High
CVE-2026-27727 was published for com.mchange:mchange-commons-java (Maven) Feb 25, 2026
dpp Credited to dpp
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database