Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

133 advisories

Loading
Netty Redis Codec Encoder has a CRLF Injection Issue Moderate
CVE-2026-42586 was published for io.netty:netty-codec-redis (Maven) May 7, 2026
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM... High Unreviewed
CVE-2026-5140 was published Apr 29, 2026
PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes High
GHSA-mh6w-vxff-9wqp was published for phpunit/phpunit (Composer) Apr 22, 2026
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and... Moderate Unreviewed
CVE-2026-2717 was published Apr 22, 2026
SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of... Moderate Unreviewed
CVE-2026-32964 was published Apr 20, 2026
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
CVE-2026-41570 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing... High Unreviewed
CVE-2026-6351 was published Apr 16, 2026
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
CVE-2026-41230 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that... Moderate Unreviewed
CVE-2026-2400 was published Apr 14, 2026
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output Moderate
CVE-2026-35601 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
basic-ftp has FTP Command Injection via CRLF High
CVE-2026-39983 was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values Moderate
CVE-2026-26962 was published for rack (RubyGems) Apr 2, 2026
wtn Credited to wtn, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-2442 was published Mar 28, 2026
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter Low
GHSA-c7w3-x93f-qmm8 was published for nodemailer (npm) Mar 26, 2026
esquilichi Credited to esquilichi
A vulnerability in the web-based Cisco IOx application hosting environment management interface... Moderate Unreviewed
CVE-2026-20113 was published Mar 25, 2026
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database