Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

77 advisories

Loading
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. High
GHSA-wv46-v6xc-2qhf was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
srvx is vulnerable to middleware bypass via absolute URI in request line Moderate
CVE-2026-33732 was published for srvx (npm) Mar 26, 2026
hibwyli Credited to hibwyli
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18... Moderate Unreviewed
CVE-2026-1230 was published Mar 11, 2026
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection Moderate
CVE-2026-30856 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass High
CVE-2026-3125 was published for @opennextjs/cloudflare (npm) Mar 5, 2026
Ezzer17 Credited to Ezzer17
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL High
CVE-2026-25890 was published for github.com/filebrowser/filebrowser/v2 (Go) Feb 10, 2026
Fluxmux Credited to Fluxmux and hacdias hacdias hacdias
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion... Moderate Unreviewed
CVE-2026-25067 was published Jan 29, 2026
An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8... High Unreviewed
CVE-2025-65474 was published Dec 11, 2025
Apptainer ineffectively applies selinux and apparmor --security options Moderate
CVE-2025-65105 was published for github.com/apptainer/apptainer (Go) Dec 2, 2025
dtrudg Credited to dtrudg
Singluarity ineffectively applies selinux / apparmor LSM process labels Moderate
CVE-2025-64750 was published for github.com/sylabs/singularity/v4 (Go) Dec 2, 2025
zx Uses Incorrectly-Resolved Name or Reference Moderate
CVE-2025-13437 was published for zx (npm) Nov 20, 2025
CommandKit has incorrect command name exposure in context object for message command aliases Moderate
CVE-2025-62378 was published for commandkit (npm) Oct 13, 2025
twlite Credited to twlite and notunderctrl notunderctrl notunderctrl
Hono's flaw in URL path parsing could cause path confusion High
CVE-2025-58362 was published for hono (npm) Sep 3, 2025
mwlik Credited to mwlik and imenyoo2 imenyoo2 imenyoo2
Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara... Moderate Unreviewed
CVE-2025-3941 was published May 22, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File... High Unreviewed
CVE-2025-48136 was published May 16, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File... High Unreviewed
CVE-2025-30870 was published Apr 1, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File... High Unreviewed
CVE-2025-30849 was published Apr 1, 2025
OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME` Moderate
CVE-2025-29914 was published for github.com/corazawaf/coraza/v3 (Go) Mar 20, 2025
blotus Credited to blotus
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File... Moderate Unreviewed
CVE-2025-24733 was published Jan 24, 2025
Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via... Moderate Unreviewed
CVE-2024-57785 was published Jan 17, 2025
An insecure direct object reference (IDOR) vulnerability was discovered in PHPGurukul Online... Moderate Unreviewed
CVE-2024-55058 was published Dec 17, 2024
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File... High Unreviewed
CVE-2024-53739 was published Nov 30, 2024
gitsign may use incorrect Rekor entries during verification Low
CVE-2024-51746 was published for github.com/sigstore/gitsign (Go) Nov 5, 2024
adityasaky Credited to adityasaky
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database