Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10,353 advisories

Loading
Kyverno Controller Denial of Service via forEach Mutation Panic High
CVE-2026-41485 was published for github.com/kyverno/kyverno (Go) Apr 24, 2026
thevilledev Credited to thevilledev
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection High
CVE-2026-41325 was published for getkirby/cms (Composer) Apr 24, 2026
offset Credited to offset
TYPO3 CMS Stores Cleartext Password in User Settings Module High
CVE-2026-6553 was published for typo3/cms-backend (Composer) Apr 24, 2026
mclewing Credited to mclewing, garvinhicking, and ohader garvinhicking garvinhicking
ohader ohader
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync High
CVE-2026-40912 was published for github.com/traefik/traefik (Go) Apr 24, 2026
gouldnicholas Credited to gouldnicholas
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution High
CVE-2026-40068 was published for @anthropic-ai/claude-code (npm) Apr 24, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication High
CVE-2026-35051 was published for github.com/traefik/traefik (Go) Apr 24, 2026
Zwique Credited to Zwique
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
rustls-webpki: Denial of service via panic on malformed CRL BIT STRING High
GHSA-82j2-j2ch-gfr8 was published for rustls-webpki (Rust) Apr 24, 2026
tynus3 Credited to tynus3
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover High
GHSA-4f9j-vr4p-642r was published for @budibase/backend-core (npm) Apr 24, 2026
AyushParkara Credited to AyushParkara
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
GHSA-qc5p-3mg5-9fh8 was published for avo (RubyGems) Apr 24, 2026
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
GHSA-xqmj-j6mv-4862 was published for litellm (pip) Apr 24, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler High
GHSA-f5v4-2wr6-hqmg was published for russh (Rust) Apr 24, 2026
coreyleavitt Credited to coreyleavitt
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
liquidjs has a Denial of Service via circular block reference in layout High
CVE-2026-41311 was published for liquidjs (npm) Apr 24, 2026
1netvn Credited to 1netvn
Contour has Lua code injection via Cookie Path Rewrite Policy High
CVE-2026-41246 was published for github.com/projectcontour/contour (Go) Apr 24, 2026
b0b0haha Credited to b0b0haha and kodareef5 kodareef5 kodareef5
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment High
CVE-2026-41900 was published for openlearnx (npm) Apr 23, 2026
krraze Credited to krraze and Stalin-143 Stalin-143 Stalin-143
Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows Controller High
CVE-2026-40886 was published for github.com/argoproj/argo-workflows/v3 (Go) Apr 23, 2026
thevilledev Credited to thevilledev
Apktool: Path Traversal to Arbitrary File Write High
CVE-2026-39973 was published for org.apktool:apktool-lib (Maven) Apr 23, 2026
caveeroo Credited to caveeroo and IgorEisberg IgorEisberg IgorEisberg
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering High
CVE-2026-34587 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers High
CVE-2026-33318 was published for @actual-app/sync-server (npm) Apr 23, 2026
Rex50527 Credited to Rex50527
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
GHSA-wgx6-g857-jjf7 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database