Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,163 advisories

Loading
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation Low
CVE-2026-27964 was published for facturascripts/facturascripts (Composer) May 7, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests Low
CVE-2026-44283 was published for go.etcd.io/etcd (Go) May 7, 2026
SamyGhannad Credited to SamyGhannad
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover Low
CVE-2026-42082 was published for github.com/free5gc/amf (Go) May 7, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command Low
GHSA-39g5-644c-qwcg was published for github.com/apple/container (Swift) May 7, 2026
XlabAITeam Credited to XlabAITeam and 0xmrma 0xmrma 0xmrma
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
OpenSearch has ineffective TLS certificate hostname verification Low
GHSA-x5hg-x4gv-j98m was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch vulnerable to improper authorization for Rollover Requests Low
GHSA-22vx-2x23-98w6 was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths Low
GHSA-83x9-vc3c-hghc was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
diesel-async may expose uninitialized padding bytes for MySQL temporal columns Low
GHSA-ff9q-rm55-q7qr was published for diesel-async (Rust) May 7, 2026
paolobarbolini Credited to paolobarbolini
Kanidm has non-constant-time comparison of OAuth2 client_secret Low
GHSA-53hj-r94p-8c8f was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed Low
GHSA-22w3-693w-x895 was published for webauthn-authenticator-rs (Rust) May 6, 2026
dorakemon Credited to dorakemon
MediaMTX affected by CVE-2026-27143 due to vulnerable dependency Low
GHSA-2ccx-cjjh-r2j8 was published for github.com/bluenviron/mediamtx (Go) May 6, 2026
aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221) Low
GHSA-7mw3-79jq-xc7f was published for aiograpi (pip) May 6, 2026
rpassword affected by partial password reveal when input is interrupted Low
GHSA-2p6r-x3vv-xqm2 was published for rpassword (Rust) May 6, 2026
DevLaTron Credited to DevLaTron and squell squell squell
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header Low
CVE-2026-44242 was published for io.micronaut:micronaut-inject (Maven) May 6, 2026
offset Credited to offset
mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true` Low
GHSA-r27j-894h-3w3p was published for icu-minify (npm) May 6, 2026
offset Credited to offset
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks Low
GHSA-xx64-wwv2-hcqq was published for astral-tokio-tar (Rust) May 6, 2026
LawnGnome Credited to LawnGnome and woodruffw woodruffw woodruffw
ciguard: Web UI is missing HTTP defence-in-depth headers Low
GHSA-7ww3-xvf5-cxwm was published for ciguard (pip) May 5, 2026
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
ciguard: Container image runs as root (no USER directive) Low
CVE-2026-44218 was published for ciguard (pip) May 5, 2026
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
mugi-sec Credited to mugi-sec and onebeastchris onebeastchris onebeastchris
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database