Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,318
Maven
5,000+
npm
5,000+
NuGet
878
pip
4,532
Pub
12
RubyGems
1,009
Rust
1,200
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,800 advisories

Loading
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit Moderate
CVE-2026-27128 was published for craftcms/cms (Composer) Feb 23, 2026
vitalysim Credited to vitalysim
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding High
CVE-2026-27127 was published for craftcms/cms (Composer) Feb 23, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS has Stored XSS in Table Field via "HTML" Column Type Moderate
CVE-2026-27126 was published for craftcms/cms (Composer) Feb 23, 2026
mHe4am Credited to mHe4am
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option High
CVE-2026-26331 was published for yt-dlp (pip) Feb 23, 2026
dxlerYT Credited to dxlerYT, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
ormar is vulnerable to SQL Injection through aggregate functions min() and max() Critical
CVE-2026-26198 was published for ormar (pip) Feb 23, 2026
AAtomical Credited to AAtomical
New API has Potential XSS in its MarkdownRenderer component High
CVE-2026-25802 was published for github.com/QuantumNous/new-api (Go) Feb 23, 2026
small-lovely-cat Credited to small-lovely-cat, TechnologyStar, t0ng7u, and Calcium-Ion TechnologyStar TechnologyStar
t0ng7u t0ng7u Calcium-Ion Calcium-Ion
New API has an SQL LIKE Wildcard Injection DoS via Token Search High
CVE-2026-25591 was published for github.com/QuantumNous/new-api (Go) Feb 23, 2026
xuemian168 Credited to xuemian168, callmeiks, and Calcium-Ion callmeiks callmeiks
Calcium-Ion Calcium-Ion
Astro has Full-Read SSRF in error rendering via Host: header injection Moderate
CVE-2026-25545 was published for @astrojs/node (npm) Feb 23, 2026
Aikido-Security Credited to Aikido-Security, reindaelman, JorianWoltjer, and grumpinout1 reindaelman reindaelman
JorianWoltjer JorianWoltjer grumpinout1 grumpinout1
yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent High
CVE-2025-70058 was published for yapi-vendor (npm) Feb 23, 2026
Apache Camel Deserializes Untrusted Data in its LevelDB Component High
CVE-2026-25747 was published for org.apache.camel:camel-leveldb (Maven) Feb 23, 2026
Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm Critical
CVE-2026-23552 was published for org.apache.camel:camel-keycloak (Maven) Feb 23, 2026
datapizza-ai: Server-Side Template Injection in ChatPromptTemplate via Jinja2 Template Handler Low
CVE-2026-2969 was published for datapizza-ai-core (pip) Feb 23, 2026
datapizza-ai has unsafe deserialization via pickle.loads() in RedisCache Low
CVE-2026-2970 was published for datapizza-ai-core (pip) Feb 23, 2026
funadmin: XSS through Value argument in Backend Interface component Low
CVE-2026-2897 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function Low
CVE-2026-2898 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin has Weak Password Recovery Mechanism for Forgotten Password Low
CVE-2026-2895 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin has Incorrect Privilege Assignment in its Configuration Handler Moderate
CVE-2026-2896 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin exposes sensitive information via getMember function Moderate
CVE-2026-2894 was published for funadmin/funadmin (Composer) Feb 22, 2026
Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits Moderate
CVE-2026-26047 was published for moodle/moodle (Composer) Feb 21, 2026
Moodle has a Remote Code Execution risk via file restore High
CVE-2026-26045 was published for moodle/moodle (Composer) Feb 21, 2026
Apache Airflow error reporting may expose full kwargs Moderate
CVE-2025-65995 was published for apache-airflow (pip) Feb 21, 2026
MLflow Use of Default Password Authentication Bypass Vulnerability Critical
CVE-2026-2635 was published for mlflow (pip) Feb 21, 2026
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability High
CVE-2026-2033 was published for mlflow (pip) Feb 21, 2026
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS) High
CVE-2026-2472 was published for google-cloud-aiplatform (pip) Feb 20, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database