Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,402 advisories

Loading
Apktool: Path Traversal to Arbitrary File Write High
CVE-2026-39973 was published for org.apktool:apktool-lib (Maven) Apr 23, 2026
caveeroo Credited to caveeroo and IgorEisberg IgorEisberg IgorEisberg
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering High
CVE-2026-34587 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers High
CVE-2026-33318 was published for @actual-app/sync-server (npm) Apr 23, 2026
Rex50527 Credited to Rex50527
go-ntlmssp NTLM challenges can panic on malformed payloads Moderate
CVE-2026-32952 was published for github.com/Azure/go-ntlmssp (Go) Apr 23, 2026
Kirby has XML injection in its XML creator toolkit Moderate
CVE-2026-32870 was published for getkirby/cms (Composer) Apr 23, 2026
dapatrese Credited to dapatrese
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege Critical
CVE-2026-40372 was published for Microsoft.AspNetCore.DataProtection (NuGet) Apr 23, 2026
rbhanda Credited to rbhanda
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed Moderate
CVE-2026-41322 was published for @astrojs/node (npm) Apr 23, 2026
dnlbln Credited to dnlbln, matthewp, and ematipico matthewp matthewp
ematipico ematipico
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests Moderate
CVE-2026-41495 was published for n8n-mcp (npm) Apr 23, 2026
S4nso Credited to S4nso
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
GHSA-rhf7-wvw3-vjvm was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool Critical
GHSA-2wvh-87g2-89hr was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database Critical
GHSA-v529-vhwc-wfc5 was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
GHSA-4jvx-93h3-f45h was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
GHSA-wgx6-g857-jjf7 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle Moderate
CVE-2026-41511 was published for OpenMcdf (NuGet) Apr 22, 2026
pawlos Credited to pawlos
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
GHSA-r466-rxw4-3j9j was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
GHSA-2cjr-5v3h-v2w4 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
GHSA-2hp7-65r3-wv54 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 High
CVE-2026-41676 was published for openssl (Rust) Apr 22, 2026
rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length Low
CVE-2026-41677 was published for openssl (Rust) Apr 22, 2026
rust-openssl has incorrect bounds assertion in aes key wrap High
CVE-2026-41678 was published for openssl (Rust) Apr 22, 2026
rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check High
CVE-2026-41681 was published for openssl (Rust) Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database