Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,808 advisories

Loading
Daptin has Unauthenticated Path Traversal and Zip Slip Critical
GHSA-9cp7-j3f8-p5jx was published for github.com/daptin/daptin (Go) Apr 10, 2026
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes High
GHSA-jvff-x2qm-6286 was published for mathjs (npm) Apr 10, 2026
CykuTW Credited to CykuTW
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration Moderate
GHSA-55v6-g8pm-pw4c was published for rembg (pip) Apr 10, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
GHSA-68qg-g8mg-6pr7 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives Moderate
GHSA-93vf-569f-22cq was published for rhukster/dom-sanitizer (Composer) Apr 10, 2026
morimori-dev Credited to morimori-dev
DNN: Same HostGUID for all new installs Low
GHSA-2rhw-gw3f-477j was published for DotNetNuke.Core (NuGet) Apr 10, 2026
meetmandeep Credited to meetmandeep, donker, and valadas donker donker
valadas valadas
DNN: Force Friend Request Acceptance Moderate
GHSA-fpj4-9qhx-5m6m was published for DotNetNuke.Core (NuGet) Apr 10, 2026
JesseClarkTT Credited to JesseClarkTT, bdukes, and valadas bdukes bdukes
valadas valadas
next-intl has an open redirect vulnerability Moderate
GHSA-8f24-v5vv-gm5j was published for next-intl (npm) Apr 10, 2026
joniumGit Credited to joniumGit
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Moderate
CVE-2026-5774 was published for github.com/juju/juju (Go) Apr 10, 2026
fg0x0 Credited to fg0x0 and wallyworld wallyworld wallyworld
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
gramps-webapi: Zip Slip Path Traversal in Media Archive Import Critical
CVE-2026-40258 was published for gramps-webapi (pip) Apr 10, 2026
srisowmya2000 Credited to srisowmya2000
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport High
GHSA-75hx-xj24-mqrw was published for n8n-mcp (npm) Apr 10, 2026
yotampe-pluto Credited to yotampe-pluto
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM Moderate
CVE-2026-40260 was published for pypdf (pip) Apr 10, 2026
kodareef5 Credited to kodareef5 and stefan6419846 stefan6419846 stefan6419846
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload High
GHSA-ffq7-898w-9jc4 was published for DotNetNuke.Core (NuGet) Apr 10, 2026
bdukes Credited to bdukes and valadas valadas valadas
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Low
CVE-2026-40109 was published for github.com/fluxcd/notification-controller (Go) Apr 10, 2026
saroj345 Credited to saroj345
Step CA affected by an index out of bounds panic in TPM attestation EKU validation Low
CVE-2026-40097 was published for github.com/smallstep/certificates (Go) Apr 10, 2026
1seal Credited to 1seal
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` Moderate
CVE-2026-40190 was published for langsmith (npm) Apr 10, 2026
OneThing4101 Credited to OneThing4101
goshs has a file-based ACL authorization bypass in goshs state-changing routes Critical
CVE-2026-40189 was published for github.com/patrickhener/goshs (Go) Apr 10, 2026
R1ZZG0D Credited to R1ZZG0D
goshs is Missing Write Protection for Parametric Data Values High
CVE-2026-40188 was published for github.com/patrickhener/goshs (Go) Apr 10, 2026
marduc812 Credited to marduc812
Rembg has a Path Traversal via Custom Model Loading Moderate
CVE-2026-40086 was published for rembg (pip) Apr 10, 2026
yueyueL Credited to yueyueL
nimiq-blockchain is missing a wall-clock upper bound on block timestamps Critical
CVE-2026-40093 was published for nimiq-blockchain (Rust) Apr 10, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database