Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

505 advisories

Loading
Russh: Unchecked CryptoVec allocation and growth handling is reachable High
CVE-2026-46673 was published for russh (Rust) May 21, 2026
mjc Credited to mjc
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss High
CVE-2026-46654 was published for p3-challenger (Rust) May 21, 2026
jonathanpwang Credited to jonathanpwang and zlangley zlangley zlangley
nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item High
CVE-2026-46545 was published for nimiq-primitives (Rust) May 21, 2026
Piravlos Credited to Piravlos and Eligioo Eligioo Eligioo
libcrux-ml-dsa: Signature Verification on AVX2 Platforms Mishandles Edge Case High
GHSA-fhvh-vw7h-9xf3 was published for libcrux-ml-dsa (Rust) May 19, 2026
libcrux: Potential Panic on Overlong Ciphertext Buffer High
GHSA-hc3c-63hc-2r9f was published for libcrux-chacha20poly1305 (Rust) May 19, 2026
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT High
CVE-2026-40092 was published for nimiq-keys (Rust) May 15, 2026
Piravlos Credited to Piravlos
DeepSeek TUI has SSRF‌ IPV6 bypass High
CVE-2026-45373 was published for deepseek-tui (Rust) May 14, 2026
JafarAkhondali Credited to JafarAkhondali
DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool High
CVE-2026-45310 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Anchor: `InterfaceAccount` allows account substitution between unexpected types High
GHSA-429q-fhh4-r6hj was published for anchor-lang (Rust) May 13, 2026
acheroncrypto Credited to acheroncrypto
Anchor: Program<'info, System> is not properly validated High
CVE-2026-45137 was published for anchor-lang (Rust) May 13, 2026
Matthias1590 Credited to Matthias1590
smallbitvec: Integer overflow in safe API leads to heap buffer overflow High
CVE-2026-44983 was published for smallbitvec (Rust) May 9, 2026
ksj1230 Credited to ksj1230
Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning High
CVE-2026-44499 was published for zebrad (Rust) May 8, 2026
upbqdn Credited to upbqdn and mpguerra mpguerra mpguerra
hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses High
GHSA-3v94-mw7p-v465 was published for hickory-net (Rust) May 7, 2026
rust-zserio has Unbounded Memory Allocation High
GHSA-fpf5-4jw8-67x8 was published for rust-zserio (Rust) May 7, 2026
gix-fs: Symlink prefix-reuse allows worktree escape during checkout High
CVE-2026-44471 was published for gix-fs (Rust) May 7, 2026
LawnGnome Credited to LawnGnome
ldap3_proto has LDAP Filter stack exhaustion High
GHSA-qcxq-75wr-5cm8 was published for ldap3_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero
scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion High
CVE-2026-46689 was published for kanidm_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero
rmcp Streamable HTTP server transport has a DNS rebinding vulnerability High
CVE-2026-42559 was published for rmcp (Rust) May 6, 2026
JLLeitschuh Credited to JLLeitschuh
rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs High
CVE-2026-42327 was published for openssl (Rust) May 5, 2026
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover High
GHSA-mm2q-qcmx-gw4w was published for rustfs (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository High
GHSA-fr8x-3vfx-f45h was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository High
GHSA-pg4w-g64p-qwhj was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data High
GHSA-x494-mj8g-cj27 was published for gix-pack (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules High
GHSA-f26g-jm89-4g65 was published for gix (Rust) May 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database