Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

939 advisories

Loading
Marten has an injection vulnerability in its full-text search regConfig parameter Critical
CVE-2026-45288 was published for Marten (NuGet) May 14, 2026
oxidize-pdf: NaN/inf bypass in colour content-stream emission causes PDF rejection (DoS) Moderate
GHSA-88q9-cmp2-c2vq was published for OxidizePdf.NET (NuGet) May 11, 2026
bzsanti Credited to bzsanti
SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant) Moderate
CVE-2026-44788 was published for SharpCompress (NuGet) May 8, 2026
svenclaesson Credited to svenclaesson
OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured Moderate
CVE-2026-44213 was published for OpenTelemetry.Exporter.Instana (NuGet) May 8, 2026
martincostello Credited to martincostello
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException High
CVE-2026-44375 was published for Nerdbank.MessagePack (NuGet) May 6, 2026
Snappier has an infinite loop during SnappyStream decompression with malformed framed input High
CVE-2026-44302 was published for Snappier (NuGet) May 6, 2026
pawlos Credited to pawlos
OpAMP client reads unbounded HTTP response bodies Moderate
CVE-2026-42348 was published for OpenTelemetry.OpAmp.Client (NuGet) May 5, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers High
CVE-2026-43939 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql` High
CVE-2026-43937 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
OpenTelemetry's disk retry default temp path enables local blob injection via OTLP Exporter Moderate
CVE-2026-42191 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 30, 2026
Kielek Credited to Kielek, martincostello, rajkumar-rangaraj, and arminru martincostello martincostello
rajkumar-rangaraj rajkumar-rangaraj arminru arminru
OneCollector exporter reads unbounded HTTP response bodies Moderate
CVE-2026-41484 was published for OpenTelemetry.Exporter.OneCollector (NuGet) Apr 29, 2026
martincostello Credited to martincostello and rajkumar-rangaraj rajkumar-rangaraj rajkumar-rangaraj
OpenTelemetry.Resources.Azure has an unbounded HTTP response body read Moderate
CVE-2026-41483 was published for OpenTelemetry.Resources.Azure (NuGet) Apr 29, 2026
martincostello Credited to martincostello and Kielek Kielek Kielek
OpenTelemetry's Zipkin remote endpoint cache could grow without bounds and increase memory pressure Moderate
CVE-2026-41310 was published for OpenTelemetry.Exporter.Zipkin (NuGet) Apr 28, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width Moderate
CVE-2026-42241 was published for ParquetSharp (NuGet) Apr 24, 2026
adamreeve Credited to adamreeve, CurtHagenlocher, and marcin-krystianc CurtHagenlocher CurtHagenlocher
marcin-krystianc marcin-krystianc
OpenTelemetry.Sampler.AWS & OpenTelemetry.Resources.AWS have unbounded HTTP response body reads Moderate
CVE-2026-41173 was published for OpenTelemetry.Resources.AWS (NuGet) Apr 23, 2026
Kielek Credited to Kielek, normj, martincostello, and arminru normj normj
martincostello martincostello arminru arminru
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers Moderate
CVE-2026-40894 was published for OpenTelemetry.Api (NuGet) Apr 23, 2026
martincostello Credited to martincostello, Kielek, and arminru Kielek Kielek
arminru arminru
OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling Moderate
CVE-2026-40891 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies Moderate
CVE-2026-40182 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
martincostello Credited to martincostello, 1seal, Kielek, and arminru 1seal 1seal
Kielek Kielek arminru arminru
Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege Critical
CVE-2026-40372 was published for Microsoft.AspNetCore.DataProtection (NuGet) Apr 23, 2026
rbhanda Credited to rbhanda
OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle Moderate
CVE-2026-41511 was published for OpenMcdf (NuGet) Apr 22, 2026
pawlos Credited to pawlos
MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade Moderate
CVE-2026-41319 was published for MailKit (NuGet) Apr 18, 2026
ROCmertakdag Credited to ROCmertakdag
OpenTelemetry .NET has potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path Moderate
CVE-2026-41078 was published for OpenTelemetry.Exporter.Jaeger (NuGet) Apr 18, 2026
Kielek Credited to Kielek and arminru arminru arminru
Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment Low
GHSA-h39g-6x3c-7fq9 was published for Zio (NuGet) Apr 18, 2026
SUT0L Credited to SUT0L
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database