Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,950 advisories

Loading
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, kodareef5, and waveywaves vdemeester vdemeester
kodareef5 kodareef5 waveywaves waveywaves
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret High
CVE-2026-46701 was published for network-ai (npm) May 21, 2026
232-323 Credited to 232-323 and min8282 min8282 min8282
@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty High
CVE-2026-46681 was published for @nevware21/ts-utils (npm) May 21, 2026
containerd user ID handling bypass allows runAsNonRoot evasion High
CVE-2026-46680 was published for github.com/containerd/containerd (Go) May 21, 2026
ssst0n3 Credited to ssst0n3
js-libp2p: Memory DoS via subscription flood of unique topics High
CVE-2026-46679 was published for @libp2p/gossipsub (npm) May 21, 2026
tahaafarooq Credited to tahaafarooq
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation High
CVE-2026-46640 was published for twig/twig (Composer) May 21, 2026
Twig: Sandbox property and method bypass via object-destructuring assignment High
CVE-2026-46639 was published for twig/twig (Composer) May 21, 2026
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection High
CVE-2026-46625 was published for js-cookie (npm) May 21, 2026
teebow1e Credited to teebow1e
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL High
CVE-2026-40161 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, stenzopolis1986-art, and waveywaves vdemeester vdemeester
stenzopolis1986-art stenzopolis1986-art waveywaves waveywaves
phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering High
CVE-2026-46367 was published for phpMyFAQ (Composer) May 15, 2026
Russh: Unchecked CryptoVec allocation and growth handling is reachable High
CVE-2026-46673 was published for russh (Rust) May 21, 2026
mjc Credited to mjc
@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails High
GHSA-59f3-7227-wmh4 was published for @hulumi/policies (npm) May 21, 2026
@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies High
GHSA-4xrh-5m3m-328w was published for @hulumi/policies (npm) May 21, 2026
@hulumi/policies: HULUMI-H1 SecureBucket parent spoof bypass High
GHSA-g43v-9x7q-83pq was published for @hulumi/policies (npm) May 21, 2026
@hulumi/drift: Orphan reconciler accepted externally supplied execute plans High
GHSA-2ffm-hxrq-qqmm was published for @hulumi/drift (npm) May 21, 2026
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement High
CVE-2026-46519 was published for mcp-server-kubernetes (npm) May 21, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss High
CVE-2026-46654 was published for p3-challenger (Rust) May 21, 2026
jonathanpwang Credited to jonathanpwang and zlangley zlangley zlangley
Snappy: Binary path is never shell-escaped due to an inverted is_executable check High
CVE-2026-46643 was published for KnpLabs/knp-snappy (Composer) May 21, 2026
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read High
CVE-2026-46617 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives High
CVE-2026-46612 was published for github.com/fission/fission (Go) May 21, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item High
CVE-2026-46545 was published for nimiq-primitives (Rust) May 21, 2026
Piravlos Credited to Piravlos and Eligioo Eligioo Eligioo
MLflow: unauthenticated access to certain FastAPI routes High
CVE-2026-2652 was published for mlflow (pip) May 15, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers High
CVE-2026-8621 was published for github.com/openclaw/crabbox (Go) May 14, 2026
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) High
CVE-2026-46492 was published for md-fileserver (npm) May 21, 2026
kiwi865 Credited to kiwi865
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database