Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,309
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,531
Pub
12
RubyGems
1,009
Rust
1,195
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,724 advisories

Loading
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field Low
CVE-2026-24005 was published for github.com/openkruise/kruise (Go) Feb 25, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation Low
CVE-2026-22866 was published for @ensdomains/ens-contracts (npm) Feb 25, 2026
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution High
CVE-2026-27727 was published for com.mchange:mchange-commons-java (Maven) Feb 25, 2026
dpp Credited to dpp
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize Moderate
CVE-2026-27829 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA Credited to pHo9UBenaA
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() Critical
CVE-2026-27728 was published for @oneuptime/common (npm) Feb 25, 2026
dxlerYT Credited to dxlerYT
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder High
GHSA-2phg-qgmm-r638 was published for github.com/BishopFox/sliver (Go) Feb 25, 2026
Cycloctane Credited to Cycloctane
@enclave-vm/core is vulnerable to Sandbox Escape Critical
CVE-2026-27597 was published for @enclave-vm/core (npm) Feb 25, 2026
c0rydoras Credited to c0rydoras and frontegg-david frontegg-david frontegg-david
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks Critical
CVE-2026-27626 was published for github.com/OliveTin/OliveTin (Go) Feb 25, 2026
ByamB4 Credited to ByamB4
pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams Low
CVE-2026-27628 was published for pypdf (pip) Feb 25, 2026
rampageservices Credited to rampageservices
TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload Moderate
CVE-2026-27621 was published for typicms/core (Composer) Feb 25, 2026
lukasz-rybak Credited to lukasz-rybak
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard Moderate
CVE-2026-27612 was published for repostat (npm) Feb 25, 2026
denpiligrim Credited to denpiligrim
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links High
CVE-2026-27611 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Feb 25, 2026
ByteAfterlife Credited to ByteAfterlife
Fickling has safety check bypass via REDUCE+BUILD opcode sequence Moderate
GHSA-mhc9-48gj-9gp3 was published for fickling (pip) Feb 25, 2026
yash2998chhabria Credited to yash2998chhabria
ImageMagick: Integer Overflow in PSB (PSD v2) RLE decoding path causes heap Out of Bounds reads for 32-bit builds Low
CVE-2026-25984 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
andsopwn Credited to andsopwn
esm.sh is vulnerable to full-response SSRF High
CVE-2025-50180 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
bestlzk Credited to bestlzk
Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory High
CVE-2026-27598 was published for github.com/dagu-org/dagu (Go) Feb 24, 2026
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
Statamic is vulnerable to account takeover via password reset link injection Critical
CVE-2026-27593 was published for statamic/cms (Composer) Feb 24, 2026
Neosprings Credited to Neosprings and everythingBlackkk everythingBlackkk everythingBlackkk
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance Moderate
CVE-2026-27572 was published for wasmtime (Rust) Feb 24, 2026
alexcrichton Credited to alexcrichton
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow Moderate
CVE-2026-25882 was published for github.com/gofiber/fiber/v2 (Go) Feb 24, 2026
sixcolors Credited to sixcolors, TheAspectDev, gaby, and ReneWerner87 TheAspectDev TheAspectDev
gaby gaby ReneWerner87 ReneWerner87
Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation High
CVE-2026-25899 was published for github.com/gofiber/fiber/v3 (Go) Feb 24, 2026
tuliperis Credited to tuliperis and gaby gaby gaby
Fiber has an Arbitrary File Read in Static Middleware on Windows High
CVE-2026-25891 was published for github.com/gofiber/fiber/v3 (Go) Feb 24, 2026
wodzen Credited to wodzen and gaby gaby gaby
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion Moderate
CVE-2026-27204 was published for wasmtime (Rust) Feb 24, 2026
mbund Credited to mbund, alexcrichton, and pchickey alexcrichton alexcrichton
pchickey pchickey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database