Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

217 advisories

Loading
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes High
CVE-2026-55698 was published for pnpm (npm) Jun 26, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine High
CVE-2026-55697 was published for pnpm (npm) Jun 26, 2026
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an... Critical Unreviewed
CVE-2026-56447 was published Jun 22, 2026
containerd: CRI checkpoint import allows local image tag poisoning Moderate
CVE-2026-50195 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
hbeberman Credited to hbeberman and robertprast robertprast robertprast
[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions High
CVE-2026-44691 was published for @theia/debug (npm) Jun 18, 2026
[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat High
CVE-2026-46580 was published for @theia/ai-chat (npm) Jun 18, 2026
[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat High
CVE-2026-44688 was published for @theia/ai-chat (npm) Jun 18, 2026
Dell PowerFlex Manager, version(s) Version prior to 4.8, contain(s) an Inclusion of Functionality... High Unreviewed
CVE-2026-22283 was published Jun 17, 2026
Pi Agent: Pi loads project-local extensions without approval Moderate
CVE-2026-54325 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
qerogram Credited to qerogram, urianpaul94, EQSTLab, kamalmarhubi, and useworld urianpaul94 urianpaul94
EQSTLab EQSTLab kamalmarhubi kamalmarhubi useworld useworld
When the application executes the JavaScript script embedded in the PDF within the sandbox, it... High Unreviewed
CVE-2026-12057 was published Jun 15, 2026
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an... High Unreviewed
CVE-2026-11269 was published Jun 5, 2026
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content... High Unreviewed
CVE-2026-8879 was published Jun 3, 2026
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0... High Unreviewed
CVE-2026-5241 was published Jun 3, 2026
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL... High Unreviewed
CVE-2022-49036 was published Jun 3, 2026
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component... High Unreviewed
CVE-2022-49042 was published Jun 3, 2026
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334 High
CVE-2026-47398 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation High
CVE-2026-42089 was published for yeoman-environment (npm) May 26, 2026
mshima Credited to mshima, UlisesGascon, and 0xmrma UlisesGascon UlisesGascon
0xmrma 0xmrma
The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets... High Unreviewed
CVE-2026-5817 was published May 26, 2026
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which... High Unreviewed
CVE-2026-5843 was published May 26, 2026
Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs Moderate
CVE-2026-45711 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
Duplicate Advisory: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config Moderate
GHSA-p3m6-jr2h-hhxj was published for openclaw (npm) May 11, 2026 withdrawn
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
amwhoi Credited to amwhoi
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project... Moderate Unreviewed
CVE-2026-45184 was published May 10, 2026
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
amwhoi Credited to amwhoi
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database