Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

13,578 advisories

Loading
OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU Moderate
CVE-2026-45680 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias
ws: Uninitialized memory disclosure Moderate
CVE-2026-45736 was published for ws (npm) May 18, 2026
ChALkeR Credited to ChALkeR
AVideo: Authenticated Arbitrary File Read in view/update.php Moderate
CVE-2026-45731 was published for WWBN/AVideo (Composer) May 18, 2026
pr3ungdt Credited to pr3ungdt
OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages Moderate
CVE-2026-45679 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent Moderate
CVE-2026-45676 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and rafaelroquetto rafaelroquetto rafaelroquetto
ImageMagick: Policy Bypass in PSD decoder Moderate
CVE-2026-45031 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
dayzsec Credited to dayzsec
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap Moderate
CVE-2026-41568 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
ImageMagick: Out-of-Bounds Read of a single byte in meta encoder Moderate
CVE-2026-45358 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
007bsd Credited to 007bsd
ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define Moderate
CVE-2026-45359 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
007bsd Credited to 007bsd
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API Moderate
CVE-2026-45719 was published for @budibase/server (npm) May 18, 2026
MerlijnW70 Credited to MerlijnW70
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows Moderate
CVE-2026-45718 was published for budibase (npm) May 18, 2026
offset Credited to offset
Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens Moderate
CVE-2026-45701 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, alexander-schranz, and Prokyonn mamazu mamazu
alexander-schranz alexander-schranz Prokyonn Prokyonn
shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption Moderate
GHSA-9rh9-hf3w-9fgg was published for shopper/cart (Composer) May 18, 2026
baradika Credited to baradika
brace-expansion: Large numeric range defeats documented `max` DoS protection Moderate
CVE-2026-45149 was published for brace-expansion (npm) May 18, 2026
subhashdasyam Credited to subhashdasyam and katzj katzj katzj
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations Moderate
CVE-2026-45139 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
offset Credited to offset
CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule Moderate
CVE-2026-45138 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
offset Credited to offset
Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds Moderate
GHSA-5r97-79vw-qvm4 was published for directxtk12_desktop_win10 (NuGet) May 18, 2026
Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds Moderate
GHSA-c55g-rp4x-fx84 was published for directxtk_desktop_win10 (NuGet) May 18, 2026
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check Moderate
GHSA-74r7-3mjm-jc5v was published for edumfa (pip) May 18, 2026
Statamic CMS: Server-Side Request Forgery via Glide Moderate
CVE-2026-45660 was published for statamic/cms (Composer) May 18, 2026
haoit Credited to haoit
ImageMagick: Heap Buffer Over-Read in IPTC encoder Moderate
CVE-2026-42326 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
sukhoon0975 Credited to sukhoon0975
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass Moderate
CVE-2026-45577 was published for neotoma (npm) May 18, 2026
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter Moderate
CVE-2026-45626 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins Moderate
CVE-2026-6402 was published for webpack-dev-server (npm) May 18, 2026
sapphi-red Credited to sapphi-red, UlisesGascon, bjohansebas, and alexander-akait UlisesGascon UlisesGascon
bjohansebas bjohansebas alexander-akait alexander-akait
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024` Moderate
CVE-2026-45620 was published for WWBN/AVideo (Composer) May 18, 2026
SnailSploit Credited to SnailSploit
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database