Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,054
Maven
5,000+
npm
4,793
NuGet
825
pip
4,392
Pub
12
RubyGems
988
Rust
1,147
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,491 advisories

Loading
lxml-html-clean has CSS @import Filter Bypass via Unicode Escapes Moderate
CVE-2026-28348 was published for lxml-html-clean (pip) Mar 2, 2026
uug4na Credited to uug4na and frenzymadness frenzymadness frenzymadness
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint High
CVE-2026-28342 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
fg0x0 Credited to fg0x0
malcontent: Error-path cleanup gap can leak scanners and fds and degrade availability Moderate
GHSA-54p8-x2m9-c593 was published for github.com/chainguard-dev/malcontent (Go) Mar 2, 2026
1seal Credited to 1seal, stevebeattie, and egibs stevebeattie stevebeattie
egibs egibs
joserfc's PBES2 p2c Unbounded Iteration Count enables Denial of Service (DoS) High
CVE-2026-27932 was published for joserfc (pip) Mar 2, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
`tracing-check` was removed from crates.io for malicious code Critical
GHSA-5pmp-jpcf-pwx6 was published for tracing-check (Rust) Mar 2, 2026
OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write High
CVE-2026-27622 was published for OpenEXR (pip) Mar 2, 2026
quangIO Credited to quangIO and thaidn thaidn thaidn
theshit's Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution High
CVE-2026-21882 was published for theshit (Rust) Mar 2, 2026
AsfhtgkDavid Credited to AsfhtgkDavid
Bytebase vulnerable to Improper Authentication Moderate
GHSA-5r3p-6rj5-7937 was published for github.com/bytebase/bytebase (Go) Mar 2, 2026
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
GHSA-82g8-464f-2mv7 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
Authorization Bypass in Next.js Middleware Critical
CVE-2025-29927 was published for next (npm) Mar 21, 2025
cold-try Credited to cold-try and Wenxin-Jiang Wenxin-Jiang Wenxin-Jiang
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() High
GHSA-5c6j-r48x-rmvq was published for serialize-javascript (npm) Feb 28, 2026
uug4na Credited to uug4na and FeBe95 FeBe95 FeBe95
rubyipmi is vulnerable to OS Command Injection through malicious usernames High
CVE-2026-0980 was published for rubyipmi (RubyGems) Feb 27, 2026
CIRCL has an incorrect calculation in secp384r1 CombinedMult Low
CVE-2026-1229 was published for github.com/cloudflare/circl (Go) Feb 25, 2026
guidovranken Credited to guidovranken
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List Moderate
CVE-2026-28280 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass High
CVE-2026-27939 was published for statamic/cms (Composer) Feb 27, 2026
Mistz1 Credited to Mistz1
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder Low
CVE-2026-27942 was published for fast-xml-parser (npm) Feb 26, 2026
julianladisch Credited to julianladisch
Nest has a Fastify URL Encoding Middleware Bypass High
CVE-2026-2293 was published for @nestjs/platform-fastify (npm) Mar 2, 2026
Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass High
GHSA-7q64-3rg2-h9pf was published for @nestjs/platform-fastify (npm) Feb 27, 2026 withdrawn
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints Moderate
CVE-2026-27111 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Statamic vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-28426 was published for statamic/cms (Composer) Mar 1, 2026
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs High
CVE-2026-28425 was published for statamic/cms (Composer) Mar 1, 2026
Neosprings Credited to Neosprings
Statamic's missing authorization allows access to email addresses Moderate
CVE-2026-28424 was published for statamic/cms (Composer) Mar 1, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide Moderate
CVE-2026-28423 was published for statamic/cms (Composer) Mar 1, 2026
dxlerYT Credited to dxlerYT
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing High
CVE-2026-28416 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database