Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

3,664 advisories

Loading
Known affected by Account Takeover via Password Reset Token Leakage Critical
CVE-2026-26273 was published for idno/known (Composer) Feb 13, 2026
IamLeandrooooo
Credited to IamLeandrooooo
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
`sha-rst` was removed from crates.io for malicious code Critical
GHSA-vgr2-r5hm-f6gf was published for sha-rst (Rust) Feb 12, 2026
`finch_cli_rust` was removed from crates.io for malicious code Critical
GHSA-6v2j-vr4h-f632 was published for finch_cli_rust (Rust) Feb 12, 2026
`finch-rst` was removed from crates.io for malicious code Critical
GHSA-xp79-9mxw-878j was published for finch-rst (Rust) Feb 12, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
CVE-2026-26190 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE Critical
CVE-2026-21531 was published for azure-ai-language-conversations-authoring (pip) Feb 10, 2026
scottaddie
Credited to scottaddie
CASL Ability is Vulnerable to Prototype Pollution Critical
CVE-2026-1774 was published for @casl/ability (npm) Feb 10, 2026
Apache Druid Vulnerable to Authentication Bypass Critical
CVE-2026-23906 was published for org.apache.druid.extensions:druid-basic-security (Maven) Feb 10, 2026
FUXA Unauthenticated Remote Arbitrary Scheduler Write Critical
CVE-2026-25939 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) Critical
CVE-2026-25881 was published for @nyariv/sandboxjs (npm) Feb 10, 2026
k14uz
Credited to k14uz
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure Critical
CVE-2025-66630 was published for github.com/gofiber/fiber/v2 (Go) Feb 9, 2026
sixcolors
Credited to sixcolors
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Death-Incarnate
Credited to saivarun3407 and Death-Incarnate
Duplicate Advisory: Keylime Missing Authentication for Critical Function and Improper Authentication Critical
GHSA-27jc-jmp8-qfw5 was published for keylime (pip) Feb 6, 2026 withdrawn
`uniswap-utils` was removed from crates.io for malicious code Critical
GHSA-x468-phr8-h3p3 was published for uniswap-utils (Rust) Feb 6, 2026
`sha-rust` was removed from crates.io for malicious code Critical
GHSA-3mmg-7c2q-8938 was published for sha-rust (Rust) Feb 6, 2026
`finch-rust` was removed from crates.io for malicious code Critical
GHSA-f8h5-x737-x4xr was published for finch-rust (Rust) Feb 6, 2026
`polymarket-clients-sdk` was removed from crates.io for malicious code Critical
GHSA-382q-fpqh-29f7 was published for polymarket-clients-sdk (Rust) Feb 6, 2026
`evm-units` was removed from crates.io for malicious code Critical
GHSA-6662-54xr-8423 was published for evm-units (Rust) Feb 6, 2026
A single post-release of dydx-v4-client contained obfuscated multi-stage loader Critical
GHSA-4f84-67cv-qrv3 was published for dydx-v4-client (pip) Feb 6, 2026
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK Critical
CVE-2026-25592 was published for Microsoft.SemanticKernel.Core (NuGet) Feb 6, 2026
doredry amiteliahu
urioren
Credited to doredry, amiteliahu, and urioren
OpenSTAManager has an OS Command Injection in P7M File Processing Critical
CVE-2025-69212 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
Gogs's update .git/config file allows remote command execution Critical
CVE-2025-64111 was published for gogs.io/gogs (Go) Feb 6, 2026
ROPShell
Credited to ROPShell
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database