Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,653 advisories

Loading
Multer vulnerable to Denial of Service via incomplete cleanup High
CVE-2026-3304 was published for multer (npm) Mar 1, 2026
EthanKim88 Credited to EthanKim88, ctcpip, UlisesGascon, and bjohansebas ctcpip ctcpip
UlisesGascon UlisesGascon bjohansebas bjohansebas
Multer vulnerable to Denial of Service via resource exhaustion High
CVE-2026-2359 was published for multer (npm) Mar 1, 2026
ctcpip Credited to ctcpip, nawin23, UlisesGascon, sheplu, and bjohansebas nawin23 nawin23
UlisesGascon UlisesGascon sheplu sheplu bjohansebas bjohansebas
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret Low
CVE-2026-27167 was published for gradio (pip) Mar 1, 2026
tenbbughunters Credited to tenbbughunters
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() High
GHSA-5c6j-r48x-rmvq was published for serialize-javascript (npm) Feb 28, 2026
uug4na Credited to uug4na and FeBe95 FeBe95 FeBe95
malcontent: Nested archive extraction failure can drop content from scan inputs Moderate
CVE-2026-28407 was published for github.com/chainguard-dev/malcontent (Go) Feb 28, 2026
1seal Credited to 1seal and egibs egibs egibs
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages Moderate
CVE-2026-28338 was published for net.sourceforge.pmd:pmd-core (Maven) Feb 28, 2026
smaranchand Credited to smaranchand
Hive has Double-free and Use After Free Vulnerabilities Moderate
GHSA-j8cj-hw74-64jv was published for hivex (Rust) Feb 28, 2026
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware High
CVE-2026-2880 was published for @fastify/middie (npm) Feb 28, 2026
tachote Credited to tachote, mcollina, UlisesGascon, and Eomm mcollina mcollina
UlisesGascon UlisesGascon Eomm Eomm
pypdf: Manipulated RunLengthDecode streams can exhaust RAM Moderate
CVE-2026-28351 was published for pypdf (pip) Feb 28, 2026
bugbunny-research Credited to bugbunny-research and stefan6419846 stefan6419846 stefan6419846
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List Moderate
CVE-2026-28280 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
osctrl is Vulnerable to OS Command Injection via Environment Configuration High
CVE-2026-28279 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only) Low
GHSA-fpg4-jhqr-589c was published for @sveltejs/kit (npm) Feb 28, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition High
GHSA-72hv-8253-57qq was published for com.fasterxml.jackson.core:jackson-core (Maven) Feb 28, 2026
sprabhav7 Credited to sprabhav7, rohan-repos, and neilmadden-hazelcast rohan-repos rohan-repos
neilmadden-hazelcast neilmadden-hazelcast
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse Critical
CVE-2026-28268 was published for code.vikunja.io/api (Go) Feb 28, 2026
VashuVats Credited to VashuVats
Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix Moderate
CVE-2026-28208 was published for com.github.junrar:junrar (Maven) Feb 27, 2026
Cache-Money Credited to Cache-Money
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-7jx5-9fjg-hp4m was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
CVE-2026-4039 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass High
CVE-2026-27939 was published for statamic/cms (Composer) Feb 27, 2026
Mistz1 Credited to Mistz1
ZITADEL has potential SSRF via Actions Low
CVE-2026-27945 was published for github.com/zitadel/zitadel/v2 (Go) Feb 27, 2026
IAM-marco Credited to IAM-marco and livio-a livio-a livio-a
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API High
CVE-2026-27946 was published for github.com/zitadel/zitadel (Go) Feb 27, 2026
livio-a Credited to livio-a and IAM-marco IAM-marco IAM-marco
ZITADEL's truncated opaque tokens are still valid Moderate
CVE-2026-27840 was published for github.com/zitadel/zitadel (Go) Feb 27, 2026
lucasdodgson Credited to lucasdodgson, muhlemmer, livio-a, and wim07101993 muhlemmer muhlemmer
livio-a livio-a wim07101993 wim07101993
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint High
CVE-2026-27836 was published for thorsten/phpmyfaq (Composer) Feb 27, 2026
offensiveee Credited to offensiveee
Beszel: Docker API has a Path Traversal Vulnerability via Unsanitized Container ID Moderate
CVE-2026-27734 was published for github.com/henrygd/beszel (Go) Feb 27, 2026
nekros1xx Credited to nekros1xx
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode Moderate
CVE-2026-27638 was published for @actual-app/sync-server (npm) Feb 27, 2026
q1uf3ng Credited to q1uf3ng
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
Amalie-Wowern Credited to Amalie-Wowern
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database