Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,826
Maven
5,000+
npm
5,000+
NuGet
942
pip
5,000+
Pub
13
RubyGems
1,060
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,673 advisories

Loading
CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule Moderate
CVE-2026-45138 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
offset Credited to offset
Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds Moderate
GHSA-5r97-79vw-qvm4 was published for directxtk12_desktop_win10 (NuGet) May 18, 2026
Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds Moderate
GHSA-c55g-rp4x-fx84 was published for directxtk_desktop_win10 (NuGet) May 18, 2026
eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges High
GHSA-j5rm-v3vh-vx94 was published for edumfa (pip) May 18, 2026
eduMFA: Incorrect InnoDB snapshot isolation possibly allows token reusage High
GHSA-qq2p-4282-cfc5 was published for edumfa (pip) May 18, 2026
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check Moderate
GHSA-74r7-3mjm-jc5v was published for edumfa (pip) May 18, 2026
Statamic CMS: Server-Side Request Forgery via Glide Moderate
CVE-2026-45660 was published for statamic/cms (Composer) May 18, 2026
haoit Credited to haoit
ImageMagick: Heap Buffer Over-Read in IPTC encoder Moderate
CVE-2026-42326 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
sukhoon0975 Credited to sukhoon0975
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass Moderate
CVE-2026-45577 was published for neotoma (npm) May 18, 2026
Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover High
CVE-2026-45627 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter Moderate
CVE-2026-45626 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs Critical
CVE-2026-45625 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML Low
GHSA-97r8-rf7q-wmjw was published for @sveltia/cms (npm) May 18, 2026
blacksolo1 Credited to blacksolo1
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files High
CVE-2026-45135 was published for github.com/caddyserver/caddy/v2 (Go) May 18, 2026
dunglas Credited to dunglas, KC1zs4, and chenjj KC1zs4 KC1zs4
chenjj chenjj
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins Moderate
CVE-2026-6402 was published for webpack-dev-server (npm) May 18, 2026
sapphi-red Credited to sapphi-red, UlisesGascon, bjohansebas, and alexander-akait UlisesGascon UlisesGascon
bjohansebas bjohansebas alexander-akait alexander-akait
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024` Moderate
CVE-2026-45620 was published for WWBN/AVideo (Composer) May 18, 2026
SnailSploit Credited to SnailSploit
Spring AI MCP Security: Unvalidated URL Fetching (SSRF) High
CVE-2026-45609 was published for org.springaicommunity:mcp-client-security (Maven) May 18, 2026
srikanthramu Credited to srikanthramu
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys High
CVE-2026-46510 was published for form-data-objectizer (npm) May 18, 2026
0xBassia Credited to 0xBassia
Graphite Has a Pickle Deserialization Vulnerability High
GHSA-qw48-84f6-28gv was published for graphitedb (pip) May 18, 2026
mkh-user Credited to mkh-user
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters Moderate
CVE-2026-45582 was published for n8n-mcp (npm) May 18, 2026
u-ktdi Credited to u-ktdi
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree High
CVE-2026-45539 was published for apm (pip) May 18, 2026
thesmartshadow Credited to thesmartshadow
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder High
GHSA-mx64-mj3q-7prj was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf` Moderate
CVE-2026-45619 was published for WWBN/AVideo (Composer) May 15, 2026
SnailSploit Credited to SnailSploit
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database