Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,185 advisories

Loading
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) Low
CVE-2026-45316 was published for open-webui (pip) May 14, 2026
qi-scape Credited to qi-scape and Classic298 Classic298 Classic298
dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction Low
CVE-2026-44970 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled Low
CVE-2026-44969 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions Low
CVE-2026-22706 was published for @strapi/admin (npm) May 13, 2026
zaddy6 Credited to zaddy6, arthurgervais, derrickmehaffy, AndyAnh174, and Aastha2602 arthurgervais arthurgervais
derrickmehaffy derrickmehaffy AndyAnh174 AndyAnh174 Aastha2602 Aastha2602
Astro: Server island encrypted parameters vulnerable to cross-component replay Low
CVE-2026-45028 was published for astro (npm) May 13, 2026
Popax21 Credited to Popax21
Next.js's Middleware / Proxy redirects can be cache-poisoned Low
CVE-2026-44572 was published for next (npm) May 11, 2026
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting Low
CVE-2026-44582 was published for next (npm) May 11, 2026
Ella Core has handover failures during concurrent Security Mode Command Low
CVE-2026-44474 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function Low
CVE-2026-8275 was published for github.com/bettercap/bettercap/v2 (Go) May 11, 2026
bettercap Has an Integer Coercion Error in modules/mysql_server/mysql_server.go Low
CVE-2026-8276 was published for github.com/bettercap/bettercap/v2 (Go) May 11, 2026
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() Low
CVE-2026-44459 was published for hono (npm) May 9, 2026
AdmirBajric Credited to AdmirBajric
absinthe_plug Has a Cross-site Scripting vulnerability Low
CVE-2026-42794 was published for absinthe_plug (Erlang) May 8, 2026
justhtml introduces denial-of-service hardening Low
GHSA-r8cj-3554-33mr was published for justhtml (pip) May 8, 2026
EmilStenstrom Credited to EmilStenstrom
nhost has Session Persistence After Password Change Low
GHSA-7hgr-xvrr-xpw3 was published for github.com/nhost/nhost (Go) May 8, 2026
skoveit Credited to skoveit
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience Low
CVE-2026-44428 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
FORIMOC Credited to FORIMOC and rdimitrov rdimitrov rdimitrov
OSGeo GDAL vulnerable to heap-based buffer overflow Low
CVE-2026-8087 was published for GDAL (pip) May 7, 2026
OSGeo GDAL vulnerable to out-of-bounds read Low
CVE-2026-8088 was published for GDAL (pip) May 7, 2026
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation Low
CVE-2026-27964 was published for facturascripts/facturascripts (Composer) May 7, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests Low
CVE-2026-44283 was published for go.etcd.io/etcd (Go) May 7, 2026
SamyGhannad Credited to SamyGhannad
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover Low
CVE-2026-42082 was published for github.com/free5gc/amf (Go) May 7, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command Low
GHSA-39g5-644c-qwcg was published for github.com/apple/container (Swift) May 7, 2026
XlabAITeam Credited to XlabAITeam and 0xmrma 0xmrma 0xmrma
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
OpenSearch has ineffective TLS certificate hostname verification Low
GHSA-x5hg-x4gv-j98m was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database