Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

50 advisories

Loading
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates Moderate
GHSA-vrqv-52x7-rm4v was published for kimai/kimai (Composer) May 6, 2026
fg0x0 Credited to fg0x0
Nginx-UI Settings API Exposes Protected Secrets Moderate
CVE-2026-42223 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
yotampe-pluto Credited to yotampe-pluto
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback Moderate
CVE-2026-42220 was published for github.com/0xJacky/Nginx-UI (Go) May 5, 2026
lilmingwa13 Credited to lilmingwa13
Mojic: Observable Timing Discrepancy in HMAC Verification Moderate
CVE-2026-41244 was published for mojic (npm) Apr 16, 2026
notamitgamer2 Credited to notamitgamer2 and notamitgamer notamitgamer notamitgamer
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution... High Unreviewed
CVE-2026-39911 was published Apr 9, 2026
rfc3161-client Has Improper Certificate Validation Moderate
CVE-2026-33753 was published for rfc3161-client (pip) Apr 8, 2026
Jaynornj Credited to Jaynornj
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key Critical
CVE-2026-34950 was published for fast-jwt (npm) Apr 2, 2026
rtvkiz Credited to rtvkiz
StableLib Ed25519 Signature Malleability via Missing S < L Check Moderate
GHSA-x3ff-w252-2g7j was published for @stablelib/ed25519 (npm) Apr 1, 2026
kodareef5 Credited to kodareef5
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification Moderate
CVE-2026-34716 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) High
CVE-2026-33896 was published for node-forge (npm) Mar 26, 2026
peaktwilight Credited to peaktwilight
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input High
CVE-2026-33891 was published for node-forge (npm) Mar 26, 2026
Kr0emer Credited to Kr0emer
simplesamlphp/xml-security: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption High
CVE-2026-32600 was published for simplesamlphp/xml-security (Composer) Mar 13, 2026
Sideni Credited to Sideni and tvdijen tvdijen tvdijen
xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption High
CVE-2026-32313 was published for robrichards/xmlseclibs (Composer) Mar 13, 2026
Sideni Credited to Sideni
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection High
CVE-2026-31975 was published for @siteboon/claude-code-ui (npm) Mar 11, 2026
Ethan-Yang-opcia Credited to Ethan-Yang-opcia, DhiyaneshGeek, and neo-ai-engineer DhiyaneshGeek DhiyaneshGeek
neo-ai-engineer neo-ai-engineer
@siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes High
CVE-2026-31861 was published for @siteboon/claude-code-ui (npm) Mar 10, 2026
Akokonunes Credited to Akokonunes, neo-ai-engineer, and toufik-airane neo-ai-engineer neo-ai-engineer
toufik-airane toufik-airane
dcap-qvl has Missing Verification for QE Identity Critical
CVE-2026-22696 was published for @phala/dcap-qvl (npm) Jan 26, 2026
n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks Moderate
CVE-2026-21894 was published for n8n (npm) Jan 7, 2026
nkoorty Credited to nkoorty, jjjutla, and geckosecurity jjjutla jjjutla
geckosecurity geckosecurity
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package High
CVE-2025-68619 was published for signalk-server (npm) Jan 2, 2026
atsc11 Credited to atsc11
Langflow vulnerable to Server-Side Request Forgery High
CVE-2025-68477 was published for langflow (pip) Dec 19, 2025
im-soohyun Credited to im-soohyun
node-forge has ASN.1 Unbounded Recursion High
CVE-2025-66031 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen
node-forge is vulnerable to ASN.1 OID Integer Truncation Moderate
CVE-2025-66030 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization High
CVE-2025-12816 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen and sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database