Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,743 advisories

Loading
twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments Low
CVE-2026-46629 was published for twig/intl-extra (Composer) May 21, 2026
Russh: Unchecked CryptoVec allocation and growth handling is reachable High
CVE-2026-46673 was published for russh (Rust) May 21, 2026
mjc Credited to mjc
NocoDB: Attachment Size Limit Bypass via Upload-by-URL Low
CVE-2026-46553 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion Moderate
CVE-2026-46551 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2... Low Unreviewed
CVE-2026-44070 was published May 21, 2026
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit... Moderate Unreviewed
CVE-2026-8486 was published May 20, 2026
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit... Moderate Unreviewed
CVE-2026-8488 was published May 20, 2026
Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service High
CVE-2026-8468 was published for plug (Erlang) May 20, 2026
maennchen Credited to maennchen and josevalim josevalim josevalim
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server... High Unreviewed
CVE-2026-9064 was published May 20, 2026
FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service Moderate
CVE-2026-45802 was published for setasign/fpdi (Composer) May 19, 2026
esnard Credited to esnard
Bandit: Unauthenticated one-shot DoS via `Transfer-Encoding: chunked` High
CVE-2026-39803 was published for bandit (Erlang) May 19, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write) Moderate
CVE-2026-45712 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString High
GHSA-24c8-4792-22hx was published for scriban (NuGet) May 19, 2026
fg0x0 Credited to fg0x0
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes Moderate
CVE-2026-45554 was published for nicegui (pip) May 18, 2026
bitinerant Credited to bitinerant, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals Moderate
CVE-2026-45682 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
ImageMagick: Policy Bypass in PSD decoder Moderate
CVE-2026-45031 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
dayzsec Credited to dayzsec
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder High
GHSA-mx64-mj3q-7prj was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the... Moderate Unreviewed
CVE-2026-2325 was published May 18, 2026
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows... High Unreviewed
CVE-2021-47959 was published May 15, 2026
Svelte devalue: DoS via sparse array deserialization High
CVE-2026-42570 was published for devalue (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, dummdidumm, and kq5y dummdidumm dummdidumm
kq5y kq5y
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation Moderate
CVE-2026-45292 was published for io.opentelemetry:opentelemetry-api (Maven) May 14, 2026
August829 Credited to August829, trask, and jack-berg trask trask
jack-berg jack-berg
Absinthe: Unbounded atom creation from parsed directive name High
CVE-2026-42793 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.9.7, 18... Moderate Unreviewed
CVE-2026-8280 was published May 14, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18... High Unreviewed
CVE-2025-14870 was published May 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database