Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

381 advisories

Loading
Gotenberg has a Server-Side Request Forgery (SSRF) Issue High
CVE-2026-42591 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
kakarotsec Credited to kakarotsec
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Mezo: ERC-20 bridgeOut burn can be erased by a stale StateDB overwrite leading to full L1 bridge drain High
GHSA-6447-269v-g68m was published for github.com/mezo-org/mezod (Go) May 6, 2026
DeltaXV Credited to DeltaXV
Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service Moderate
CVE-2026-41181 was published for github.com/traefik/traefik/v2 (Go) May 4, 2026
lalalala5678 Credited to lalalala5678
Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move High
CVE-2026-40893 was published for github.com/gotenberg/gotenberg/v8 (Go) May 4, 2026
AnuragBathani Credited to AnuragBathani
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation Critical
CVE-2026-42560 was published for github.com/go-pkgz/auth (Go) Apr 30, 2026
Nadav0077 Credited to Nadav0077
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the... Moderate Unreviewed
CVE-2026-7305 was published Apr 29, 2026
A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the... Moderate Unreviewed
CVE-2026-6985 was published Apr 25, 2026
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the... Moderate Unreviewed
CVE-2026-6986 was published Apr 25, 2026
In the Linux kernel, the following vulnerability has been resolved: mm/pagewalk: fix race... Moderate Unreviewed
CVE-2026-31456 was published Apr 22, 2026
In the Linux kernel, the following vulnerability has been resolved: net: skb: fix cross-cache... Unknown Unreviewed
CVE-2026-31429 was published Apr 20, 2026
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
CVE-2026-41589 was published for charm.land/wish/v2 (Go) Apr 18, 2026
evnsh Credited to evnsh, andreynering, and aymanbagabas andreynering andreynering
aymanbagabas aymanbagabas
Expression Injection in OpenRemote Critical
CVE-2026-39842 was published for io.openremote:openremote-manager (Maven) Apr 14, 2026
qxyuan853 Credited to qxyuan853
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access High
CVE-2026-40885 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
CVE-2026-41679 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF Moderate
CVE-2025-62718 was published for axios (npm) Apr 9, 2026
AmeerAssadi Credited to AmeerAssadi, SwTan98, and jasonsaayman SwTan98 SwTan98
jasonsaayman jasonsaayman
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server High
CVE-2026-39889 was published for praisonai (pip) Apr 8, 2026
srisowmya2000 Credited to srisowmya2000
File Browser has a Command Injection via Hook Runner High
CVE-2026-35585 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
Saku0512 Credited to Saku0512
vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server Moderate
CVE-2026-34756 was published for vllm (pip) Apr 3, 2026
ez-lbz Credited to ez-lbz, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free... High Unreviewed
CVE-2026-23413 was published Apr 2, 2026
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
Incus does not verify combined fingerprint when downloading images from simplestreams servers High
CVE-2026-33542 was published for github.com/lxc/incus/v6/client (Go) Mar 27, 2026
wl2018 Credited to wl2018 and stgraber stgraber stgraber
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR Critical
GHSA-2pv8-4c52-mf8j was published for code.vikunja.io/api (Go) Mar 26, 2026
offset Credited to offset
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled Moderate
GHSA-pgx6-7jcq-2qff was published for @pdfme/common (npm) Mar 20, 2026
offset Credited to offset
gosaml2 CBC Padding Panic — Unauthenticated Process Crash High
GHSA-hwqm-qvj9-4jr2 was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database