Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,402 advisories

Loading
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
GHSA-xqmj-j6mv-4862 was published for litellm (pip) Apr 24, 2026
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields Moderate
GHSA-f5c8-m5vw-rmgq was published for almirhodzic/nova-toggle-5 (Composer) Apr 24, 2026
RobertoNegro Credited to RobertoNegro
AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache Moderate
CVE-2026-6550 was published for aws-encryption-sdk (pip) Apr 24, 2026
Grid: Integer Overflow in Grid::expand_rows Leads to Safe-API Undefined Behavior Moderate
GHSA-38c5-483c-4qqp was published for grid (Rust) Apr 24, 2026
ksj1230 Credited to ksj1230
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field Critical
CVE-2026-41328 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field Critical
CVE-2026-41327 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler High
GHSA-f5v4-2wr6-hqmg was published for russh (Rust) Apr 24, 2026
coreyleavitt Credited to coreyleavitt
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions Moderate
GHSA-m2m6-cff5-3w7c was published for rwsdk (npm) Apr 24, 2026
mthx Credited to mthx
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
liquidjs has a Denial of Service via circular block reference in layout High
CVE-2026-41311 was published for liquidjs (npm) Apr 24, 2026
1netvn Credited to 1netvn
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output Moderate
CVE-2026-41305 was published for postcss (npm) Apr 24, 2026
TharVid Credited to TharVid
Lemmy has SSRF in /api/v3/post via Webmention dispatch Moderate
GHSA-3jvj-v6w2-h948 was published for lemmy_api_common (Rust) Apr 24, 2026
Lemmy has SSRF and internal image disclosure in post link metadata via unvalidated og:image Moderate
GHSA-h6hf-9846-xwrq was published for lemmy_api_common (Rust) Apr 24, 2026
Contour has Lua code injection via Cookie Path Rewrite Policy High
CVE-2026-41246 was published for github.com/projectcontour/contour (Go) Apr 24, 2026
b0b0haha Credited to b0b0haha and kodareef5 kodareef5 kodareef5
melange has Path Traversal via .PKGINFO in --persist-lint-results Moderate
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses Moderate
CVE-2026-29050 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) Low
CVE-2026-41321 was published for @astrojs/cloudflare (npm) Apr 23, 2026
kodareef5 Credited to kodareef5
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment High
CVE-2026-41900 was published for openlearnx (npm) Apr 23, 2026
krraze Credited to krraze and Stalin-143 Stalin-143 Stalin-143
OpenTelemetry.Sampler.AWS & OpenTelemetry.Resources.AWS have unbounded HTTP response body reads Moderate
CVE-2026-41173 was published for OpenTelemetry.Resources.AWS (NuGet) Apr 23, 2026
Kielek Credited to Kielek, normj, martincostello, and arminru normj normj
martincostello martincostello arminru arminru
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers Moderate
CVE-2026-40894 was published for OpenTelemetry.Api (NuGet) Apr 23, 2026
martincostello Credited to martincostello, Kielek, and arminru Kielek Kielek
arminru arminru
OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling Moderate
CVE-2026-40891 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows Controller High
CVE-2026-40886 was published for github.com/argoproj/argo-workflows/v3 (Go) Apr 23, 2026
thevilledev Credited to thevilledev
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies Moderate
CVE-2026-40182 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
martincostello Credited to martincostello, 1seal, Kielek, and arminru 1seal 1seal
Kielek Kielek arminru arminru
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter Moderate
CVE-2026-40099 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database