Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,359
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,996 advisories

Loading
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
CVE-2026-28472 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Rack has a Directory Traversal via Rack:Directory High
CVE-2026-22860 was published for rack (RubyGems) Feb 17, 2026
Masamuneee Credited to Masamuneee, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
BSV Blockchain SDK has an Authentication Signature Data Preparation Vulnerability Moderate
CVE-2025-69287 was published for @bsv/sdk (npm) Feb 17, 2026
F1r3Hydr4nt Credited to F1r3Hydr4nt
Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates High
CVE-2026-25903 was published for org.apache.nifi:nifi-web-api (Maven) Feb 17, 2026
Mattermost fails to enforce invite permissions when updating team settings Low
CVE-2025-14573 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to properly validate team membership when processing channel mentions Moderate
CVE-2025-14350 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
Mattermost fails to sanitize sensitive data in WebSocket messages Moderate
CVE-2025-13821 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost Plugin Zoom allows any logged-in user to change Zoom meeting restrictions for arbitrary channels Moderate
CVE-2026-0997 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
Mattermost fails to properly validate login method restrictions Moderate
CVE-2026-0999 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint Moderate
CVE-2026-0998 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
MindsDB affected by a SSRF vulnerability Low
CVE-2026-2531 was published for MindsDB (pip) Feb 16, 2026
ImapEngine affected by command injection via the ID command parameters Moderate
CVE-2026-2469 was published for directorytree/imapengine (Composer) Feb 14, 2026
Known affected by Account Takeover via Password Reset Token Leakage Critical
CVE-2026-26273 was published for idno/known (Composer) Feb 13, 2026
IamLeandrooooo Credited to IamLeandrooooo
Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site Moderate
GHSA-w5cr-2qhr-jqc5 was published for agents (npm) Feb 13, 2026
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
rPGP's integrity protection of encrypted data was not always checked Moderate
GHSA-c7ph-f7jm-xv4w was published for pgp (Rust) Feb 13, 2026
rPGP affected by crash in message handling for deeply nested messages High
GHSA-8h58-w33p-wq3g was published for pgp (Rust) Feb 13, 2026
invd Credited to invd
rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895 High
GHSA-7587-4wv6-m68m was published for pgp (Rust) Feb 13, 2026
invd Credited to invd
Child processes spawned by Renovate incorrectly have full access to environment variables Moderate
GHSA-8wc6-vgrq-x6cf was published for renovate (npm) Feb 13, 2026
viceice Credited to viceice
Wildfly Elytron integration susceptible to brute force attacks via CLI High
CVE-2025-23368 was published for org.wildfly.core:wildfly-elytron-integration (Maven) Feb 13, 2026
Bug fixes in hpke-rs, hpke-rs-rust-crypto High
GHSA-g433-pq76-6cmf was published for hpke-rs (Rust) Feb 13, 2026
beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) Moderate
CVE-2026-26226 was published for beautiful-mermaid (npm) Feb 13, 2026
sqlparse: formatting list of tuples leads to denial of service Moderate
GHSA-27jp-wm6q-gp25 was published for sqlparse (pip) Feb 13, 2026
jacobtylerwalls Credited to jacobtylerwalls
lakeFS vulnerable to path traversal in local block adapter allow cross-namespace and sibling directory access High
CVE-2026-26187 was published for github.com/treeverse/lakefs (Go) Feb 13, 2026
nopcoder Credited to nopcoder
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database