Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,317
Maven
5,000+
npm
5,000+
NuGet
877
pip
4,532
Pub
12
RubyGems
1,009
Rust
1,200
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,762 advisories

Loading
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links High
CVE-2026-27611 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Feb 25, 2026
ByteAfterlife Credited to ByteAfterlife
Fickling has safety check bypass via REDUCE+BUILD opcode sequence Moderate
GHSA-mhc9-48gj-9gp3 was published for fickling (pip) Feb 25, 2026
yash2998chhabria Credited to yash2998chhabria
ImageMagick: Integer Overflow in PSB (PSD v2) RLE decoding path causes heap Out of Bounds reads for 32-bit builds Low
CVE-2026-25984 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
andsopwn Credited to andsopwn
esm.sh is vulnerable to full-response SSRF High
CVE-2025-50180 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
bestlzk Credited to bestlzk
Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory High
CVE-2026-27598 was published for github.com/dagu-org/dagu (Go) Feb 24, 2026
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
Statamic is vulnerable to account takeover via password reset link injection Critical
CVE-2026-27593 was published for statamic/cms (Composer) Feb 24, 2026
Neosprings Credited to Neosprings and everythingBlackkk everythingBlackkk everythingBlackkk
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance Moderate
CVE-2026-27572 was published for wasmtime (Rust) Feb 24, 2026
alexcrichton Credited to alexcrichton
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow Moderate
CVE-2026-25882 was published for github.com/gofiber/fiber/v2 (Go) Feb 24, 2026
sixcolors Credited to sixcolors, TheAspectDev, gaby, and ReneWerner87 TheAspectDev TheAspectDev
gaby gaby ReneWerner87 ReneWerner87
Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation High
CVE-2026-25899 was published for github.com/gofiber/fiber/v3 (Go) Feb 24, 2026
tuliperis Credited to tuliperis and gaby gaby gaby
Fiber has an Arbitrary File Read in Static Middleware on Windows High
CVE-2026-25891 was published for github.com/gofiber/fiber/v3 (Go) Feb 24, 2026
wodzen Credited to wodzen and gaby gaby gaby
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion Moderate
CVE-2026-27204 was published for wasmtime (Rust) Feb 24, 2026
mbund Credited to mbund, alexcrichton, and pchickey alexcrichton alexcrichton
pchickey pchickey
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future Moderate
CVE-2026-27195 was published for wasmtime (Rust) Feb 24, 2026
dicej Credited to dicej
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport High
CVE-2026-27590 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
dunglas Credited to dunglas and AbdrrahimDahmani AbdrrahimDahmani AbdrrahimDahmani
Caddy is vulnerable to cross-origin config application via local admin API /load Moderate
CVE-2026-27589 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
1seal Credited to 1seal
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass High
CVE-2026-27588 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
manizada Credited to manizada
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass High
CVE-2026-27587 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
manizada Credited to manizada
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed High
CVE-2026-27586 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
moscowchill Credited to moscowchill
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Moderate
CVE-2026-27585 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
parrot409 Credited to parrot409
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints Critical
CVE-2026-27584 was published for @actual-app/sync-server (npm) Feb 24, 2026
iamsilk Credited to iamsilk
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads Moderate
CVE-2026-27567 was published for payload (npm) Feb 24, 2026
r3dbrothers Credited to r3dbrothers
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution High
CVE-2026-27483 was published for mindsdb (pip) Feb 24, 2026
XlabAITeam Credited to XlabAITeam
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause Moderate
CVE-2026-27461 was published for pimcore/pimcore (Composer) Feb 24, 2026
q1uf3ng Credited to q1uf3ng
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution Moderate
CVE-2026-27156 was published for nicegui (pip) Feb 24, 2026
anuraagbaishya Credited to anuraagbaishya, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing Critical
CVE-2025-69985 was published for @frangoteam/fuxa (npm) Feb 24, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database