Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,950 advisories

Loading
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation High
CVE-2026-45738 was published for github.com/argoproj/argo-cd (Go) May 19, 2026
kah-ja Credited to kah-ja
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation High
GHSA-xm96-gfjx-jcrc was published for land.oras:oras-java-sdk (Maven) May 19, 2026
ChipWolf Credited to ChipWolf and jonesbusy jonesbusy jonesbusy
auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs High
GHSA-hv85-774v-26fg was published for auth-fetch-mcp (npm) May 19, 2026
zrok copy writes attacker-controlled WebDAV paths outside the destination root High
CVE-2026-45576 was published for github.com/openziti/zrok (Go) May 19, 2026
aisafe-bot Credited to aisafe-bot
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack High
CVE-2026-46511 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover High
CVE-2026-46396 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis High
CVE-2026-46391 was published for @haxtheweb/open-apis (npm) May 19, 2026
bradyjmcl Credited to bradyjmcl
HAXcms createSite SSRF Enables Arbitrary File Read High
CVE-2026-46393 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
wsparks-vc Credited to wsparks-vc and d6fault d6fault d6fault
Algernon: Single-file mode unconditionally enables debug mode High
CVE-2026-45728 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString High
GHSA-24c8-4792-22hx was published for scriban (NuGet) May 19, 2026
fg0x0 Credited to fg0x0
ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion High
CVE-2026-46522 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
bl4cksku11 Credited to bl4cksku11
ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions High
CVE-2026-46520 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
omkhar Credited to omkhar
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-45367 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) May 18, 2026
offset Credited to offset
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text() High
CVE-2026-45553 was published for nicegui (pip) May 18, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga, falkoschindler, h3ri0s, and evnchn falkoschindler falkoschindler
h3ri0s h3ri0s evnchn evnchn
OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI High
CVE-2026-45686 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages High
CVE-2026-45685 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias
Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege Vulnerability High
CVE-2026-35433 was published for Microsoft.WindowsDesktop.App.Runtime.win-arm64 (NuGet) May 18, 2026
Ky0toFu Credited to Ky0toFu
Microsoft Security Advisory CVE-2026-42899 – ASP.NET Core Denial of Service Vulnerability High
CVE-2026-42899 was published for Microsoft.AspNetCore.App.Runtime.linux-arm (NuGet) May 18, 2026
hamayanhamayan Credited to hamayanhamayan
Microsoft Security Advisory CVE-2026-32175 – .NET Core Tampering Vulnerability High
CVE-2026-32175 was published for Microsoft.NetCore.App.Runtime.win-arm (NuGet) May 18, 2026
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads High
CVE-2026-45678 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias, grcevski, and rafaelroquetto grcevski grcevski
rafaelroquetto rafaelroquetto
Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3` High
CVE-2026-32687 was published for postgrex (Erlang) May 18, 2026
PJUllrich Credited to PJUllrich
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion High
CVE-2026-45727 was published for cloakbrowser (pip) May 18, 2026
0xlally Credited to 0xlally
Docker: `PUT /containers/{id}/archive` executes container binary on the host High
CVE-2026-41567 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database