Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,653 advisories

Loading
NocoDB has Plaintext Storage of Shared View Passwords Low
CVE-2026-28360 was published for nocodb (npm) Mar 2, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field Moderate
CVE-2026-28359 was published for nocodb (npm) Mar 2, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint Low
CVE-2026-28358 was published for nocodb (npm) Mar 2, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
NocoDB has Stored Cross-site Scripting via Formula Cell Moderate
CVE-2026-28357 was published for nocodb (npm) Mar 2, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
lxml-html-clean has <base> tag injection through default Cleaner configuration Moderate
CVE-2026-28350 was published for lxml-html-clean (pip) Mar 2, 2026
uug4na Credited to uug4na, frenzymadness, and befeleme frenzymadness frenzymadness
befeleme befeleme
lxml-html-clean has CSS @import Filter Bypass via Unicode Escapes Moderate
CVE-2026-28348 was published for lxml-html-clean (pip) Mar 2, 2026
uug4na Credited to uug4na and frenzymadness frenzymadness frenzymadness
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint High
CVE-2026-28342 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
fg0x0 Credited to fg0x0
malcontent: Error-path cleanup gap can leak scanners and fds and degrade availability Moderate
GHSA-54p8-x2m9-c593 was published for github.com/chainguard-dev/malcontent (Go) Mar 2, 2026
1seal Credited to 1seal, stevebeattie, and egibs stevebeattie stevebeattie
egibs egibs
joserfc's PBES2 p2c Unbounded Iteration Count enables Denial of Service (DoS) High
CVE-2026-27932 was published for joserfc (pip) Mar 2, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
`tracing-check` was removed from crates.io for malicious code Critical
GHSA-5pmp-jpcf-pwx6 was published for tracing-check (Rust) Mar 2, 2026
OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write High
CVE-2026-27622 was published for OpenEXR (pip) Mar 2, 2026
quangIO Credited to quangIO and thaidn thaidn thaidn
theshit's Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution High
CVE-2026-21882 was published for theshit (Rust) Mar 2, 2026
AsfhtgkDavid Credited to AsfhtgkDavid
Bytebase vulnerable to Improper Authentication Moderate
GHSA-5r3p-6rj5-7937 was published for github.com/bytebase/bytebase (Go) Mar 2, 2026
Nest has a Fastify URL Encoding Middleware Bypass High
CVE-2026-2293 was published for @nestjs/platform-fastify (npm) Mar 2, 2026
Statamic vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-28426 was published for statamic/cms (Composer) Mar 1, 2026
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs High
CVE-2026-28425 was published for statamic/cms (Composer) Mar 1, 2026
Neosprings Credited to Neosprings
Statamic's missing authorization allows access to email addresses Moderate
CVE-2026-28424 was published for statamic/cms (Composer) Mar 1, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide Moderate
CVE-2026-28423 was published for statamic/cms (Composer) Mar 1, 2026
dxlerYT Credited to dxlerYT
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing High
CVE-2026-28416 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
Gradio has an Open Redirect in its OAuth Flow Moderate
CVE-2026-28415 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+ High
CVE-2026-28414 was published for gradio (pip) Mar 1, 2026
nvn1729 Credited to nvn1729
kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories High
CVE-2026-28406 was published for github.com/chainguard-dev/kaniko (Go) Mar 1, 2026
1seal Credited to 1seal
hex_core has Unsafe Deserialization of Erlang Terms Low
CVE-2026-21619 was published for hex_core (Erlang) Mar 1, 2026
realcorvus Credited to realcorvus and maennchen maennchen maennchen
Indico has a missing access check in the event series management API Moderate
CVE-2026-28352 was published for indico (pip) Mar 1, 2026
INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints High
GHSA-xfx2-prg5-jq3g was published for github.com/romitou/insatutorat (Go) Mar 1, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database