Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

11,331 advisories

Loading
Use after free in libpulse-binding Moderate
CVE-2018-25001 was published for libpulse-binding (Rust) Feb 3, 2024
Duplicate Advisory: Use after free in libpulse-binding Moderate
GHSA-6gvc-4jvj-pwq4 was published for libpulse-binding (Rust) Aug 30, 2021 withdrawn
Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide Moderate
CVE-2025-22234 was published for org.springframework.security:spring-security-core (Maven) Jan 22, 2026
Metricbeat affected by multiple denial of service vulnerabilities Moderate
CVE-2026-0528 was published for github.com/elastic/beats/v7 (Go) Jan 13, 2026
Prototype Pollution in extend Moderate
CVE-2018-16492 was published for extend (npm) Feb 7, 2019
ljharb
Credited to ljharb
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query Moderate
CVE-2025-31125 was published for vite (npm) Mar 31, 2025
Iuhsssss
Credited to Iuhsssss
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal Moderate
CVE-2026-24137 was published for github.com/sigstore/sigstore (Go) Jan 22, 2026
1seal
Credited to 1seal
Improper Verification of Cryptographic Signature in aws-encryption-sdk-java Moderate
CVE-2024-23680 was published for com.amazonaws:aws-encryption-sdk-java (Maven) Jun 1, 2021
Duplicate Advisory: Improper Verification of Cryptographic Signature in aws-encryption-sdk-java Moderate
GHSA-gvc7-gjrw-hj65 was published for com.amazonaws:aws-encryption-sdk-java (Maven) Jan 19, 2024 withdrawn
oscerd
Credited to oscerd
gnark-crypto doesn't range check input values during ECDSA and EdDSA signature deserialization Moderate
CVE-2023-44273 was published for github.com/consensys/gnark-crypto (Go) Oct 15, 2025
Hard-coded System User Credentials in Folio Data Export Spring module Moderate
CVE-2024-23685 was published for org.folio:mod-remote-storage (Maven) Jul 25, 2023
Duplicate Advisory: Hard-coded credentials in org.folio:mod-remote-storage Moderate
GHSA-hv5g-q4h3-64q4 was published for org.folio:mod-remote-storage (Maven) Jan 19, 2024 withdrawn
JavaScript execution via malicious molfiles (XSS) Moderate
CVE-2024-0758 was published for de.ipb-halle:molecularfaces (Maven) Apr 16, 2021
Duplicate Advisory: JavaScript execution via malicious molfiles (XSS) Moderate
GHSA-wc6f-qjxc-622v was published for de.ipb-halle:molecularfaces (Maven) Jan 19, 2024 withdrawn
ClickHouse vulnerable to client certificate password exposure in client exception Moderate
CVE-2024-23689 was published for com.clickhouse:clickhouse-client (Maven) May 12, 2023
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion Moderate
CVE-2026-22036 was published for undici (npm) Jan 14, 2026
mcollina illia-v
Credited to mcollina and illia-v
orjson does not limit recursion for deeply nested JSON documents Moderate
CVE-2025-67221 was published for orjson (pip) Jan 22, 2026
Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL Moderate
CVE-2026-24117 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal
Credited to 1seal
Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message Moderate
CVE-2026-23831 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal
Credited to 1seal
pH7-Social-Dating-CMS affected by a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-63644 was published for ph7software/ph7builder (Composer) Jan 14, 2026
Umbraco CMS has an arbitrary file upload vulnerability Moderate
CVE-2025-67288 was published for Umbraco.Cms (NuGet) Dec 22, 2025
legacy-git
Credited to legacy-git
mailqueue TYPO3 extension affected by Insecure Deserialization in QueueableFileTransport Moderate
CVE-2026-0895 was published for cpsit/typo3-mailqueue (Composer) Jan 21, 2026
eliashaeussler
Credited to eliashaeussler
go-tuf improperly validates the configured threshold for delegations Moderate
CVE-2026-23992 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal kommendorkapten
rdimitrov
Credited to 1seal, kommendorkapten, and rdimitrov
go-tuf affected by client DoS via malformed server response Moderate
CVE-2026-23991 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal kommendorkapten
rdimitrov
Credited to 1seal, kommendorkapten, and rdimitrov
CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier Moderate
CVE-2026-23959 was published for coreshop/core-shop (Composer) Jan 21, 2026
bypazs PlyNatwara
Credited to bypazs and PlyNatwara
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database