Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

492 advisories

Loading
hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses High
GHSA-3v94-mw7p-v465 was published for hickory-net (Rust) May 7, 2026
rust-zserio has Unbounded Memory Allocation High
GHSA-fpf5-4jw8-67x8 was published for rust-zserio (Rust) May 7, 2026
gix-fs: Symlink prefix-reuse allows worktree escape during checkout High
CVE-2026-44471 was published for gix-fs (Rust) May 7, 2026
LawnGnome Credited to LawnGnome
ldap3_proto has LDAP Filter stack exhaustion High
GHSA-qcxq-75wr-5cm8 was published for ldap3_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero
scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion High
GHSA-r5fr-9gmv-jggh was published for kanidm_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero
rmcp Streamable HTTP server transport has a DNS rebinding vulnerability High
CVE-2026-42559 was published for rmcp (Rust) May 6, 2026
JLLeitschuh Credited to JLLeitschuh
rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs High
CVE-2026-42327 was published for openssl (Rust) May 5, 2026
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover High
GHSA-mm2q-qcmx-gw4w was published for rustfs (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository High
GHSA-fr8x-3vfx-f45h was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository High
GHSA-pg4w-g64p-qwhj was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data High
GHSA-x494-mj8g-cj27 was published for gix-pack (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules High
GHSA-f26g-jm89-4g65 was published for gix (Rust) May 5, 2026
gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure High
GHSA-p3hw-mv63-rf9w was published for gix (Rust) May 5, 2026
kodareef5 Credited to kodareef5
awslabs/tough is Missing Delegated Metadata Validation High
CVE-2026-6967 was published for tough (Rust) May 5, 2026
1seal Credited to 1seal
awslabs/tough Delegated Roles have a Signature Threshold Bypass High
CVE-2026-6966 was published for tough (Rust) May 5, 2026
1seal Credited to 1seal and emilyalbini emilyalbini emilyalbini
Diesel's SQLite backend has possible UTF-8 corruption High
GHSA-h5x4-m2qf-r4f2 was published for diesel (Rust) May 5, 2026
Hickory DNS's Record Cache Accepts AUTHORITY-Section NS from Sibling Zone via Parent-Pool Zone-Context Elevation High
GHSA-83hf-93m4-rgwq was published for hickory-recursor (Rust) Apr 30, 2026
qifan-sailboat Credited to qifan-sailboat
rustls-webpki: Denial of service via panic on malformed CRL BIT STRING High
GHSA-82j2-j2ch-gfr8 was published for rustls-webpki (Rust) Apr 24, 2026
tynus3 Credited to tynus3
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler High
CVE-2026-42189 was published for russh (Rust) Apr 24, 2026
coreyleavitt Credited to coreyleavitt
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 High
CVE-2026-41676 was published for openssl (Rust) Apr 22, 2026
rust-openssl has incorrect bounds assertion in aes key wrap High
CVE-2026-41678 was published for openssl (Rust) Apr 22, 2026
rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check High
CVE-2026-41681 was published for openssl (Rust) Apr 22, 2026
rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer High
CVE-2026-41898 was published for openssl (Rust) Apr 22, 2026
RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks High
CVE-2026-40937 was published for rustfs (Rust) Apr 22, 2026
kodareef5 Credited to kodareef5
nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals High
CVE-2026-34065 was published for nimiq-primitives (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database