GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,273
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,489
Swift
61
Unreviewed advisories
All unreviewed
5,000+
34 advisories
Filter by severity
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Moderate
GHSA-mxwc-wh95-pw4g
was published
for
trapster
(pip)
Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling
Moderate
CVE-2026-53600
was published
for
async-tar
(Rust)
Jul 8, 2026
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
High
CVE-2026-50197
was published
for
github.com/zalando/skipper
(Go)
Jul 8, 2026
Weblate SSRF: outbound URL guard misses some private ranges
Moderate
CVE-2026-50127
was published
for
weblate
(pip)
Jul 7, 2026
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion
Moderate
GHSA-f66q-9rf6-8795
was published
for
Flask-Security-Too
(pip)
Jul 7, 2026
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
Moderate
CVE-2026-53533
was published
for
aiosmtplib
(pip)
Jul 7, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile
Moderate
CVE-2026-54637
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 6, 2026
flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf
High
CVE-2026-55787
was published
for
flyto-core
(pip)
Jul 6, 2026
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Low
CVE-2026-49254
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 2, 2026
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
High
CVE-2026-49852
was published
for
joserfc
(pip)
Jul 2, 2026
Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
High
CVE-2026-52726
was published
for
dulwich
(pip)
Jul 2, 2026
Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read
High
CVE-2026-50180
was published
for
langroid
(pip)
Jul 2, 2026
Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect
Moderate
CVE-2026-50192
was published
for
github.com/kerberos-io/agent/machinery
(Go)
Jul 2, 2026
Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)
Moderate
CVE-2026-48824
was published
for
github.com/axllent/mailpit
(Go)
Jul 1, 2026
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container
Moderate
CVE-2026-50565
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Moderate
CVE-2026-49336
was published
for
@microsoft/kiota-http-fetchlibrary
(npm)
Jun 26, 2026
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
High
CVE-2026-49260
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
Low
CVE-2026-48756
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Low
CVE-2026-48754
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
Moderate
CVE-2026-48504
was published
for
opentelemetry_sdk
(Rust)
Jun 25, 2026
AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel
Moderate
GHSA-7cqp-7cfv-6c3q
was published
for
wwbn/avideo
(Composer)
Jun 23, 2026
ProTip!
Advisories are also available from the
GraphQL API