Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,402 advisories

Loading
rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer High
GHSA-hppc-g8h3-xhp3 was published for openssl (Rust) Apr 22, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided Moderate
GHSA-w5hq-g745-h8pq was published for uuid (npm) Apr 22, 2026
0xStraw-Hat Credited to 0xStraw-Hat
SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) High
GHSA-hjh7-r5w8-5872 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 22, 2026
MCPHub has Path Traversal via Malicious MCPB Manifest Name High
GHSA-p3h2-2j4p-p83g was published for @samanhappy/mcphub (npm) Apr 22, 2026
keyblues Credited to keyblues
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
GHSA-j88v-2chj-qfwx was published for github.com/jackc/pgx (Go) Apr 22, 2026
Gitea has insecure default SSH settings Moderate
GHSA-3m6q-h5gj-7mrw was published for code.gitea.io/gitea (Go) Apr 22, 2026
gnzsnz Credited to gnzsnz
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) Moderate
GHSA-xjvc-pw2r-6878 was published for flarum/core (Composer) Apr 22, 2026
LiamSnow Credited to LiamSnow and imorland imorland imorland
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
GHSA-w937-fg2h-xhq2 was published for locize (npm) Apr 22, 2026
i18next-locize-backend has URL Injection via Unsanitized Path Parameters Moderate
GHSA-mgcp-mfp8-3q45 was published for i18next-locize-backend (npm) Apr 22, 2026
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
xmldom: Uncontrolled recursion in XML serialization leads to DoS High
CVE-2026-41673 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022, praveen-kv, and KarimTantawey praveen-kv praveen-kv
KarimTantawey KarimTantawey
xmldom has XML injection through unvalidated DocumentType serialization High
CVE-2026-41674 was published for @xmldom/xmldom (npm) Apr 22, 2026
TharVid Credited to TharVid
xmldom has XML node injection through unvalidated processing instruction serialization High
CVE-2026-41675 was published for @xmldom/xmldom (npm) Apr 22, 2026
tlsbollei Credited to tlsbollei and TharVid TharVid TharVid
xmldom has XML node injection through unvalidated comment serialization High
CVE-2026-41672 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022 and TharVid TharVid TharVid
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading High
CVE-2026-41640 was published for @nocobase/database (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call High
CVE-2026-41641 was published for @nocobase/plugin-collection-sql (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters Moderate
CVE-2026-41650 was published for fast-xml-parser (npm) Apr 22, 2026
TharVid Credited to TharVid
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions Moderate
CVE-2026-41645 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
gnuletik Credited to gnuletik
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping Moderate
CVE-2026-41591 was published for @marko/runtime-tags (npm) Apr 22, 2026
k0w4lzk1 Credited to k0w4lzk1
free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer Moderate
CVE-2026-41136 was published for github.com/free5gc/amf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service High
CVE-2026-41135 was published for github.com/free5gc/pcf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks High
CVE-2026-40937 was published for rustfs (Rust) Apr 22, 2026
kodareef5 Credited to kodareef5
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database