Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,217 advisories

Loading
ImageMagick: Information Disclosure in PasskeyEncipherImage via AES-CTR nonce reuse Low
GHSA-qv2q-c278-pch5 was published for Magick.NET-Q16-AnyCPU (NuGet) May 21, 2026
007bsd Credited to 007bsd and LuiginoC LuiginoC LuiginoC
ImageMagick: Division by Zero in binomial kernel Low
GHSA-vf33-6r7x-66xx was published for Magick.NET-Q16-AnyCPU (NuGet) May 21, 2026
007bsd Credited to 007bsd
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` Low
CVE-2026-46637 was published for twig/cssinliner-extra (Composer) May 21, 2026
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) Low
CVE-2026-46635 was published for twig/twig (Composer) May 21, 2026
twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments Low
CVE-2026-46629 was published for twig/intl-extra (Composer) May 21, 2026
Twig: The `spaceless` filter implicitly marks its output as safe Low
CVE-2026-46628 was published for twig/twig (Composer) May 21, 2026
NocoDB: Stale Auth Cache After API Token Deletion Low
CVE-2026-46554 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Attachment Size Limit Bypass via Upload-by-URL Low
CVE-2026-46553 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation Low
CVE-2026-46549 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
SpiceDB: Caveat structures with nested lists can result in improper cache reuse Low
CVE-2026-46668 was published for github.com/authzed/spicedb (Go) May 21, 2026
Crawlee for Python: SSRF via sitemap-derived URLs Low
CVE-2026-46497 was published for crawlee (pip) May 21, 2026
FORIMOC Credited to FORIMOC and Arturo0x90 Arturo0x90 Arturo0x90
androidqf: APK download Path Traversal in device APK paths Low
GHSA-763j-3p5v-jfc6 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers) Low
GHSA-jf2q-463c-6f52 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server Low
GHSA-pxh5-6rrc-8rjv was published for github.com/opentofu/opentofu (Go) May 20, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Turbo: Unexpected local code execution during Yarn Berry detection Low
CVE-2026-45772 was published for @turbo/codemod (npm) May 19, 2026
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection Low
CVE-2026-45803 was published for github.com/cli/cli (Go) May 19, 2026
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs Low
CVE-2026-45739 was published for strawberry-graphql (pip) May 19, 2026
lpschroer Credited to lpschroer, bellini666, and patrick91 bellini666 bellini666
patrick91 patrick91
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
go-git: Improper single-quote escaping in go-git SSH transport Low
CVE-2026-45570 was published for github.com/go-git/go-git (Go) May 19, 2026
N0zoM1z0 Credited to N0zoM1z0 and hiddeco hiddeco hiddeco
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp Low
GHSA-jgg6-4rpr-wfh7 was published for @mistralai/mistralai (npm) May 18, 2026
jean-malo Credited to jean-malo
Sulu: Used API Keys may be available via Admin API Low
GHSA-9m6v-8fxc-4r44 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, and alexander-schranz mamazu mamazu
alexander-schranz alexander-schranz
LibreNMS: Cross-Site Scripting in ShowConfigController Low
CVE-2026-2728 was published for librenms/librenms (Composer) May 18, 2026
YuriNek0 Credited to YuriNek0
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database