GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,566 advisories
Filter by severity
Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles
High
CVE-2025-10996
was published
for
openbabel
(pip)
Jun 30, 2026
Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
High
CVE-2026-49478
was published
for
github.com/sigstore/fulcio
(Go)
Jun 30, 2026
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
High
CVE-2026-48795
was published
for
@adonisjs/bodyparser
(npm)
Jun 30, 2026
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
High
CVE-2026-49822
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
High
CVE-2026-49821
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec
High
GHSA-7m8x-qg2j-4m3v
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
High
CVE-2026-49473
was published
for
@cedar-policy/authorization-for-expressjs
(npm)
Jun 30, 2026
Kahi has privilege-drop and socket/log permission issues
High
GHSA-55f6-4pr5-c7m5
was published
for
github.com/kahiteam/kahi
(Go)
Jun 30, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
High
CVE-2026-47198
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing
High
CVE-2026-49451
was published
for
Microsoft.OpenAPI
(NuGet)
Jun 30, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
High
CVE-2026-44840
was published
for
github.com/dgraph-io/dgraph/v25
(Go)
Jun 29, 2026
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
High
CVE-2026-47426
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM Authenticated RCE via Groovy Sandbox Escape
High
CVE-2026-47424
was published
for
org.openidentityplatform.openam:openam-scripting
(Maven)
Jun 29, 2026
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
High
GHSA-qrv3-253h-g69c
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: `patch-remove` could delete project-selected files outside the patches directory
High
GHSA-72r4-9c5j-mj57
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules
High
GHSA-fr4h-3cph-29xv
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
High
CVE-2026-55700
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes
High
CVE-2026-55698
was published
for
pnpm
(npm)
Jun 26, 2026
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
High
CVE-2026-49338
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists
High
CVE-2026-49339
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host
High
CVE-2026-49340
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
High
CVE-2026-55697
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55487
was published
for
pnpm
(npm)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API