Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,998 advisories

Loading
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields Moderate
CVE-2026-25496 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]` High
CVE-2026-25495 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation Moderate
CVE-2026-25494 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect Moderate
CVE-2026-25493 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host Moderate
CVE-2026-25492 was published for craftcms/craft (Composer) Feb 9, 2026
LeftenantZero Credited to LeftenantZero
Craft CMS Vulnerable to Stored XSS in Entry Types Name Low
CVE-2026-25491 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action High
CVE-2026-25761 was published for super-linter/super-linter (GitHub Actions) Feb 9, 2026
izefoea Credited to izefoea
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig High
CVE-2026-25639 was published for axios (npm) Feb 9, 2026
hackerman70000 Credited to hackerman70000 and FeBe95 FeBe95 FeBe95
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier) Moderate
CVE-2026-25598 was published for step-security/harden-runner (GitHub Actions) Feb 9, 2026
devanshbatham Credited to devanshbatham
Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) Moderate
CVE-2026-25480 was published for litestar (pip) Feb 9, 2026
Sirdorblu Credited to Sirdorblu
Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns Moderate
CVE-2026-25479 was published for litestar (pip) Feb 9, 2026
Sirdorblu Credited to Sirdorblu
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu Credited to Sirdorblu
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure Critical
CVE-2025-66630 was published for github.com/gofiber/fiber/v2 (Go) Feb 9, 2026
sixcolors Credited to sixcolors
Apache Shiro has an Authentication Bypass Moderate
CVE-2026-23903 was published for org.apache.shiro:shiro-spring (Maven) Feb 9, 2026
saivarun3407 Credited to saivarun3407
Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access Moderate
CVE-2026-22922 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 Credited to saivarun3407 and tei-dunamu tei-dunamu tei-dunamu
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users Moderate
CVE-2026-24098 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 Credited to saivarun3407
MCP Run Python Deno Sandbox Misconfiguration Allows SSRF Attacks via Localhost Access Moderate
CVE-2026-25904 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407 Credited to saivarun3407
MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability Moderate
CVE-2026-25905 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407 Credited to saivarun3407
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions High
CVE-2026-1615 was published for jsonpath (npm) Feb 9, 2026
saivarun3407 Credited to saivarun3407, Alina-Podoba, and skoilakonda Alina-Podoba Alina-Podoba
skoilakonda skoilakonda
xcode-mcp-server vulnerable to Command Injection Low
CVE-2026-2178 was published for xcode-mcp-server (npm) Feb 8, 2026
mcp-maigret vulnerable to command injection Moderate
CVE-2026-2130 was published for mcp-maigret (npm) Feb 8, 2026
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0 Credited to xtle0o0
Antrea has invalid enforcement order for network policy rules caused by integer overflow High
CVE-2026-25804 was published for antrea.io/antrea (Go) Feb 6, 2026
antoninbas Credited to antoninbas and Dyanngg Dyanngg Dyanngg
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Credited to saivarun3407 and Death-Incarnate Death-Incarnate Death-Incarnate
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal Credited to 1seal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database