Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

213 advisories

Loading
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable... High Unreviewed
CVE-2026-7459 was published May 30, 2026
A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is... Low Unreviewed
CVE-2026-9568 was published May 26, 2026
Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview High
CVE-2026-28445 was published for @typebot.io/js (npm) May 26, 2026
bugbunny-research Credited to bugbunny-research
A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the... Moderate Unreviewed
CVE-2026-9349 was published May 26, 2026
Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote... Moderate Unreviewed
CVE-2026-30691 was published May 20, 2026
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs Low
CVE-2026-45739 was published for strawberry-graphql (pip) May 19, 2026
lpschroer Credited to lpschroer, bellini666, and patrick91 bellini666 bellini666
patrick91 patrick91
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation High
CVE-2026-45738 was published for github.com/argoproj/argo-cd (Go) May 19, 2026
kah-ja Credited to kah-ja
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function Moderate
GHSA-9m65-766c-r333 was published for @tanstack/start-server-core (npm) May 14, 2026
mufeedvh Credited to mufeedvh
esm.sh: Legacy Route Path Traversal Can Lead to RCE Critical
CVE-2026-44593 was published for github.com/esm-dev/esm.sh (Go) May 12, 2026
splitline Credited to splitline
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data) High
CVE-2026-44483 was published for @rvf/set-get (npm) May 11, 2026
0xBassia Credited to 0xBassia
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting Low
CVE-2026-44582 was published for next (npm) May 11, 2026
Next.js vulnerable to cache poisoning in React Server Component responses Moderate
CVE-2026-44576 was published for next (npm) May 11, 2026
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components High
GHSA-w94c-4vhp-22gx was published for @vitejs/plugin-rsc (npm) May 11, 2026
Next.js Vulnerable to Denial of Service with Server Components High
GHSA-8h8q-6873-q5fj was published for next (npm) May 11, 2026
Facebook React has a Denial of Service Vulnerability in React Server Components High
CVE-2026-23870 was published for react-server-dom-parcel (npm) May 11, 2026
A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown... Low Unreviewed
CVE-2026-8194 was published May 9, 2026
Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion Moderate
CVE-2026-42788 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header Moderate
CVE-2026-39805 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution Moderate
CVE-2026-42045 was published for @lobehub/lobehub (npm) May 5, 2026
Hpd0ger Credited to Hpd0ger and aftern00n aftern00n aftern00n
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots Low
CVE-2026-40243 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue... Moderate Unreviewed
CVE-2026-7714 was published May 4, 2026
A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function... Low Unreviewed
CVE-2026-7629 was published May 2, 2026
A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue... Low Unreviewed
CVE-2026-7628 was published May 2, 2026
A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by... Low Unreviewed
CVE-2026-7596 was published May 1, 2026
A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this... Low Unreviewed
CVE-2026-7595 was published May 1, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database