Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,402 advisories

Loading
Google Keras Allocates Resources Without Limits or Throttling in the HDF5 weight loading component High
CVE-2026-0897 was published for keras (pip) Jan 15, 2026
maksim-m Credited to maksim-m and jeffcarp jeffcarp jeffcarp
Unauthenticated remote shutdown in nltk.app.wordnet_app High
CVE-2026-33231 was published for nltk (pip) Mar 19, 2026
leduckhuong Credited to leduckhuong and v-kondratenko v-kondratenko v-kondratenko
seroval affected by Denial of Service via RegExp serialization High
CVE-2026-23956 was published for seroval (npm) Jan 21, 2026
tweidinger Credited to tweidinger and lxsmnsyc lxsmnsyc lxsmnsyc
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion High
CVE-2026-34601 was published for @xmldom/xmldom (npm) Apr 1, 2026
thesmartshadow Credited to thesmartshadow and karfau karfau karfau
Apache Struts Remote Java Code Execution Critical
CVE-2012-0391 was published for org.apache.struts.xwork:xwork-core (Maven) May 4, 2022
sunSUNQ Credited to sunSUNQ
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads High
CVE-2026-40344 was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation Moderate
CVE-2026-40343 was published for github.com/free5gc/udr (Go) Apr 21, 2026
Giancannella Credited to Giancannella
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing High
CVE-2026-40931 was published for compressing (npm) Apr 17, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs High
CVE-2026-39369 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and kodareef5 vdemeester vdemeester
kodareef5 kodareef5
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset and vdemeester vdemeester vdemeester
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation Moderate
CVE-2026-40883 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token High
CVE-2026-40868 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
1seal Credited to 1seal
Decidim's comments API allows access to all commentable resources High
CVE-2026-40870 was published for decidim-api (RubyGems) Apr 14, 2026
ahukkanen Credited to ahukkanen
Decidim amendments can be accepted or rejected by anyone High
CVE-2026-40869 was published for decidim-core (RubyGems) Apr 14, 2026
ajenti.plugin.core has race conditions in 2FA Moderate
CVE-2026-40178 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
ajenti.plugin.core has password bypass when 2FA is activated Critical
CVE-2026-40177 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec Credited to odaysec
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database