Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,112
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,417
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,812 advisories

Loading
Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor` Moderate
CVE-2026-49870 was published for snipe/snipe-it (Composer) Jun 23, 2026
SakusenSec Credited to SakusenSec
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent Moderate
CVE-2026-48496 was published for go.opentelemetry.io/ebpf-profiler (Go) Jun 23, 2026
alban Credited to alban, christos68k, and florianl christos68k christos68k
florianl florianl
Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users... High Unreviewed
CVE-2026-39904 was published Jun 22, 2026
The public dashboard query endpoint does not limit request body size before processing, allowing... High Unreviewed
CVE-2026-42127 was published Jun 22, 2026
IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5... Moderate Unreviewed
CVE-2024-54178 was published Jun 22, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure) High
GHSA-v52w-28xh-v562 was published for @kozou/api (npm) Jun 19, 2026
symfony/ux-live-component: Denial of service via unbounded batch action requests Low
CVE-2026-49209 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
DoS Vulnerability in 10G iSCSI Interface of Hitachi Virtual Storage Platform. This issue... High Unreviewed
CVE-2025-7737 was published Jun 19, 2026
PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service High
GHSA-3prj-6hqw-cm82 was published for web-token/jwt-framework (Composer) Jun 18, 2026
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated... Moderate Unreviewed
CVE-2026-55205 was published Jun 18, 2026
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass High
CVE-2026-9675 was published for undici (npm) Jun 18, 2026
mauriceng98 Credited to mauriceng98, Str1ckl4nd, mcollina, and UlisesGascon Str1ckl4nd Str1ckl4nd
mcollina mcollina UlisesGascon UlisesGascon
NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation Moderate
CVE-2026-55254 was published for NCalc.Core (NuGet) Jun 18, 2026
pawlos Credited to pawlos and gumbarros gumbarros gumbarros
An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this... Moderate Unreviewed
CVE-2026-27869 was published Jun 17, 2026
pypdf: Manipulated XMP metadata streams can exhaust RAM Moderate
CVE-2026-48735 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature Moderate
CVE-2026-50560 was published for io.netty:netty-codec-http2 (Maven) Jun 15, 2026
ashleytolbert Credited to ashleytolbert
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length High
CVE-2026-50011 was published for io.netty:netty-codec-redis (Maven) Jun 15, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion High
CVE-2026-48748 was published for io.netty:netty-codec-http3 (Maven) Jun 15, 2026
violetagg Credited to violetagg
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS High
CVE-2026-54283 was published for starlette (pip) Jun 15, 2026
EthanKim88 Credited to EthanKim88, Z-Bra0, Moaaz-0x, moizxsec, aest3ra, and oxqnd Z-Bra0 Z-Bra0
Moaaz-0x Moaaz-0x moizxsec moizxsec aest3ra aest3ra oxqnd oxqnd
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-54285 was published for @opentelemetry/core (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot, pichlermarc, trentm, and arminru pichlermarc pichlermarc
trentm trentm arminru arminru
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
aiohttp: Incomplete websocket frame payloads bypass memory limits Moderate
CVE-2026-54274 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and Dreamsorcerer Dreamsorcerer Dreamsorcerer
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit Moderate
CVE-2026-54273 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines Moderate
CVE-2026-54277 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database