Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,605 advisories

Loading
netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow tables High
GHSA-v7qw-hx66-4w9x was published for netbox-data-flows (pip) May 7, 2026
xanode Credited to xanode
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI High
GHSA-fpw6-hrg5-q5x5 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft High
GHSA-p64j-f4x9-wq66 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo High
GHSA-8mc6-xjpr-h98x was published for github.com/lin-snow/ech0 (Go) May 7, 2026
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution High
CVE-2026-44522 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
rvizx Credited to rvizx and enchant97 enchant97 enchant97
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism High
CVE-2026-27891 was published for facturascripts/facturascripts (Composer) May 7, 2026
ZeroXJacks Credited to ZeroXJacks
Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker High
CVE-2026-42553 was published for cinny (npm) May 7, 2026
Quasar0147 Credited to Quasar0147
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components High
CVE-2026-44513 was published for diffusers (pip) May 7, 2026
hlky Credited to hlky and Vancir Vancir Vancir
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) High
CVE-2026-44001 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
Bandit Buffers Unbounded WebSocket Continuation Frames, Allowing Unauthenticated Memory Exhaustion High
CVE-2026-42786 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame High
CVE-2026-39804 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses High
GHSA-3v94-mw7p-v465 was published for hickory-net (Rust) May 7, 2026
Talos Linux has a local privilege escalation from untrusted workloads High
GHSA-m38g-vww2-mvgx was published for github.com/siderolabs/talos (Go) May 7, 2026
Duplicate Advisory: Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components High
GHSA-j7w6-vpvq-j3gm was published for diffusers (pip) May 7, 2026 withdrawn
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information High
CVE-2026-42459 was published for github.com/free5gc/udm (Go) May 7, 2026
Giancannella Credited to Giancannella
Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows access to SM policy handlers and disclosure of subscriber SUPI High
CVE-2026-42083 was published for github.com/free5gc/pcf (Go) May 7, 2026
LinZiyuu Credited to LinZiyuu
rust-zserio has Unbounded Memory Allocation High
GHSA-fpf5-4jw8-67x8 was published for rust-zserio (Rust) May 7, 2026
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) High
CVE-2026-44504 was published for aegra-api (pip) May 7, 2026
victorjmarin Credited to victorjmarin
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
Rancher Extensions have arbitrary file access via path traversal High
CVE-2026-25705 was published for github.com/rancher/rancher (Go) May 7, 2026
KoreaSecurity Credited to KoreaSecurity
Amazon ECS Container Agent (Windows) is vulnerable to Information Disclosure High
GHSA-fc67-c4hg-q653 was published for github.com/aws/amazon-ecs-agent (Go) May 7, 2026
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine High
CVE-2026-42594 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database