Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,533
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,823 advisories

Loading
Svelte affected by XSS in SSR `<option>` element Moderate
CVE-2026-27119 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and enismaholli enismaholli enismaholli
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Unsoundness in opt-in ARMv8 assembly backend for `keccak` Low
GHSA-3288-p39f-rqpv was published for keccak (Rust) Feb 19, 2026
Unauthorized npm publish of cline@2.3.0 with modified postinstall script Low
GHSA-9ppg-jx86-fqw7 was published for cline (npm) Feb 19, 2026
AdnaneKhan Credited to AdnaneKhan
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints Moderate
CVE-2026-27111 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Fabric.js Affected by Stored XSS via SVG Export High
CVE-2026-27013 was published for fabric (npm) Feb 18, 2026
nedlir Credited to nedlir
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection Moderate
CVE-2026-27009 was published for openclaw (npm) Feb 18, 2026
Adam55A-code Credited to Adam55A-code
OpenClaw hardened the skill download target directory validation Moderate
CVE-2026-27008 was published for openclaw (npm) Feb 18, 2026
Adam55A-code Credited to Adam55A-code
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation Moderate
CVE-2026-27007 was published for openclaw (npm) Feb 18, 2026
kexinoh Credited to kexinoh
OpenClaw session tool visibility hardening and Telegram webhook secret fallback Moderate
CVE-2026-27004 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw: Telegram bot token exposure via logs Moderate
CVE-2026-27003 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw: Docker container escape via unvalidated bind mount config injection High
CVE-2026-27002 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw: Unsanitized CWD path injection into LLM prompts High
CVE-2026-27001 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading High
CVE-2026-1669 was published for keras (pip) Feb 18, 2026
N3mes1s Credited to N3mes1s
pypdf possibly has long runtimes for malformed FlateDecode streams Moderate
CVE-2026-27026 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park Credited to CheonWoong-Park and stefan6419846 stefan6419846 stefan6419846
pypdf has possible long runtimes/large memory usage for large /ToUnicode streams Moderate
CVE-2026-27025 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park Credited to CheonWoong-Park and stefan6419846 stefan6419846 stefan6419846
pypdf has a possible infinite loop when processing TreeObject Moderate
CVE-2026-27024 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park Credited to CheonWoong-Park and stefan6419846 stefan6419846 stefan6419846
RediSearch Query Injection in @langchain/langgraph-checkpoint-redis Moderate
CVE-2026-27022 was published for @langchain/langgraph-checkpoint-redis (npm) Feb 18, 2026
yardenporat353 Credited to yardenporat353 and hntrl hntrl hntrl
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern High
CVE-2026-26996 was published for minimatch (npm) Feb 18, 2026
AkshayJainG Credited to AkshayJainG, ljharb, G-Rath, thomas-schlein, isaacs, and SamanthaPersico ljharb ljharb
G-Rath G-Rath thomas-schlein thomas-schlein isaacs isaacs SamanthaPersico SamanthaPersico
filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity Low
CVE-2026-26958 was published for filippo.io/edwards25519 (Go) Feb 18, 2026
WeebDataHoarder Credited to WeebDataHoarder and shaharcohen1 shaharcohen1 shaharcohen1
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation High
CVE-2026-26318 was published for systeminformation (npm) Feb 18, 2026
Sanu1999 Credited to Sanu1999
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake Moderate
CVE-2026-26315 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
fengjian Credited to fengjian
Go Ethereum affected by DoS via malicious p2p message High
CVE-2026-26314 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
Go Ethereum affected by DoS via malicious p2p message Moderate
CVE-2026-26313 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
revofusion Credited to revofusion
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database