Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

32,984 advisories

Loading
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server... High Unreviewed
CVE-2026-8034 was published May 8, 2026
Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to... High Unreviewed
CVE-2026-41105 was published May 8, 2026
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an... Moderate Unreviewed
CVE-2026-7541 was published May 8, 2026
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project... Moderate Unreviewed
CVE-2026-40214 was published May 8, 2026
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple... High Unreviewed
CVE-2026-40213 was published May 8, 2026
utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol Moderate
CVE-2026-44661 was published for utcp-http (pip) May 7, 2026
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI High
GHSA-fpw6-hrg5-q5x5 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft High
GHSA-p64j-f4x9-wq66 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When... Unknown Unreviewed
CVE-2026-39825 was published May 7, 2026
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo High
GHSA-8mc6-xjpr-h98x was published for github.com/lin-snow/ech0 (Go) May 7, 2026
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count Moderate
GHSA-pj6q-4vq4-r8cg was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation Moderate
GHSA-rgj7-vg8v-j4wr was published for github.com/lin-snow/ech0 (Go) May 7, 2026
VashuVats Credited to VashuVats
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers Moderate
GHSA-3v85-fqvh-7rxf was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0 comment model's Email field returned on public /api/comments endpoints Moderate
GHSA-rj4g-rqgh-rx9h was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution High
CVE-2026-44522 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
rvizx Credited to rvizx and enchant97 enchant97 enchant97
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint Moderate
CVE-2026-42878 was published for facturascripts/facturascripts (Composer) May 7, 2026
preritpathak Credited to preritpathak
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases Moderate
CVE-2026-42877 was published for facturascripts/facturascripts (Composer) May 7, 2026
ormzro Credited to ormzro
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation Low
CVE-2026-27964 was published for facturascripts/facturascripts (Composer) May 7, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is... Low Unreviewed
CVE-2026-8081 was published May 7, 2026
Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker High
CVE-2026-42553 was published for cinny (npm) May 7, 2026
Quasar0147 Credited to Quasar0147
Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc.... Critical Unreviewed
CVE-2026-5791 was published May 7, 2026
Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request... Moderate Unreviewed
CVE-2026-27415 was published May 7, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database