GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
12,958 advisories
wlc: print_html outputs API data without HTML escaping
Moderate
GHSA-gx2m-mcc2-r4p3
was published
for
wlc
(pip)
Apr 24, 2026
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Moderate
CVE-2026-41263
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
Moderate
CVE-2026-41174
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width
Moderate
GHSA-rrjr-v56m-ww88
was published
for
ParquetSharp
(NuGet)
Apr 24, 2026
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Moderate
GHSA-f5c8-m5vw-rmgq
was published
for
almirhodzic/nova-toggle-5
(Composer)
Apr 24, 2026
Grid: Integer Overflow in Grid::expand_rows Leads to Safe-API Undefined Behavior
Moderate
GHSA-38c5-483c-4qqp
was published
for
grid
(Rust)
Apr 24, 2026
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
Moderate
GHSA-m2m6-cff5-3w7c
was published
for
rwsdk
(npm)
Apr 24, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Moderate
CVE-2026-41305
was published
for
postcss
(npm)
Apr 24, 2026
melange has Path Traversal via .PKGINFO in --persist-lint-results
Moderate
CVE-2026-29051
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Moderate
CVE-2026-29050
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
OpenTelemetry.Sampler.AWS & OpenTelemetry.Resources.AWS have unbounded HTTP response body reads
Moderate
CVE-2026-41173
was published
for
OpenTelemetry.Resources.AWS
(NuGet)
Apr 23, 2026
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Moderate
CVE-2026-40894
was published
for
OpenTelemetry.Api
(NuGet)
Apr 23, 2026
OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling
Moderate
CVE-2026-40891
was published
for
OpenTelemetry.Exporter.OpenTelemetryProtocol
(NuGet)
Apr 23, 2026
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
Moderate
CVE-2026-40182
was published
for
OpenTelemetry.Exporter.OpenTelemetryProtocol
(NuGet)
Apr 23, 2026
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Moderate
CVE-2026-40099
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Kirby has XML injection in its XML creator toolkit
Moderate
CVE-2026-32870
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
Moderate
CVE-2026-41322
was published
for
@astrojs/node
(npm)
Apr 23, 2026
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Moderate
CVE-2026-41495
was published
for
n8n-mcp
(npm)
Apr 23, 2026
ProTip!
Advisories are also available from the
GraphQL API