Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,054
Maven
5,000+
npm
4,793
NuGet
825
pip
4,392
Pub
12
RubyGems
988
Rust
1,147
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,491 advisories

Loading
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages Moderate
CVE-2026-28338 was published for net.sourceforge.pmd:pmd-core (Maven) Feb 28, 2026
smaranchand Credited to smaranchand
Hive has Double-free and Use After Free Vulnerabilities Moderate
GHSA-j8cj-hw74-64jv was published for hivex (Rust) Feb 28, 2026
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware High
CVE-2026-2880 was published for @fastify/middie (npm) Feb 28, 2026
tachote Credited to tachote, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
pypdf: Manipulated RunLengthDecode streams can exhaust RAM Moderate
CVE-2026-28351 was published for pypdf (pip) Feb 28, 2026
bugbunny-research Credited to bugbunny-research and stefan6419846 stefan6419846 stefan6419846
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List Moderate
CVE-2026-28280 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
osctrl is Vulnerable to OS Command Injection via Environment Configuration High
CVE-2026-28279 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only) Low
GHSA-fpg4-jhqr-589c was published for @sveltejs/kit (npm) Feb 28, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition High
GHSA-72hv-8253-57qq was published for com.fasterxml.jackson.core:jackson-core (Maven) Feb 28, 2026
sprabhav7 Credited to sprabhav7 and rohan-repos rohan-repos rohan-repos
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse Critical
CVE-2026-28268 was published for code.vikunja.io/api (Go) Feb 28, 2026
VashuVats Credited to VashuVats
Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix Moderate
CVE-2026-28208 was published for com.github.junrar:junrar (Maven) Feb 27, 2026
Cache-Money Credited to Cache-Money
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-7jx5-9fjg-hp4m was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
GHSA-82g8-464f-2mv7 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass High
CVE-2026-27939 was published for statamic/cms (Composer) Feb 27, 2026
Mistz1 Credited to Mistz1
ZITADEL has potential SSRF via Actions Low
CVE-2026-27945 was published for github.com/zitadel/zitadel/v2 (Go) Feb 27, 2026
IAM-marco Credited to IAM-marco and livio-a livio-a livio-a
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API High
CVE-2026-27946 was published for github.com/zitadel/zitadel (Go) Feb 27, 2026
livio-a Credited to livio-a and IAM-marco IAM-marco IAM-marco
ZITADEL's truncated opaque tokens are still valid Moderate
CVE-2026-27840 was published for github.com/zitadel/zitadel (Go) Feb 27, 2026
lucasdodgson Credited to lucasdodgson, muhlemmer, livio-a, and wim07101993 muhlemmer muhlemmer
livio-a livio-a wim07101993 wim07101993
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint High
CVE-2026-27836 was published for thorsten/phpmyfaq (Composer) Feb 27, 2026
H4iL-L0v3r Credited to H4iL-L0v3r
Beszel: Docker API has a Path Traversal Vulnerability via Unsanitized Container ID Moderate
CVE-2026-27734 was published for github.com/henrygd/beszel (Go) Feb 27, 2026
nekros1xx Credited to nekros1xx
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode Moderate
CVE-2026-27638 was published for @actual-app/sync-server (npm) Feb 27, 2026
q1uf3ng Credited to q1uf3ng
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
Angular i18n vulnerable to Cross-Site Scripting High
CVE-2026-27970 was published for @angular/core (npm) Feb 27, 2026
AndrewKushnir Credited to AndrewKushnir, josephperrott, alan-agius4, and dgp1130 josephperrott josephperrott
alan-agius4 alan-agius4 dgp1130 dgp1130
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage High
CVE-2026-26862 was published for clevertap-web-sdk (npm) Feb 27, 2026
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function High
CVE-2026-26861 was published for clevertap-web-sdk (npm) Feb 27, 2026
Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass High
GHSA-7q64-3rg2-h9pf was published for @nestjs/platform-fastify (npm) Feb 27, 2026 withdrawn
Vitess users with backup storage access can write to arbitrary file paths on restore Critical
CVE-2026-27969 was published for vitess.io/vitess (Go) Feb 27, 2026
NeuroWinter Credited to NeuroWinter
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database