Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,998 advisories

Loading
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` High
CVE-2026-23897 was published for @apollo/server (npm) Feb 4, 2026
ChALkeR Credited to ChALkeR
n8n Vulnerable to Command Injection in Community Package Installation Critical
CVE-2026-21893 was published for n8n (npm) Feb 4, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner High
CVE-2025-61917 was published for n8n (npm) Feb 4, 2026
Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability Moderate
CVE-2026-24735 was published for github.com/apache/answer (Go) Feb 4, 2026
Neo4j Enterprise and Community vulnerable to a potential information disclosure Moderate
CVE-2026-1622 was published for org.neo4j:neo4j (Maven) Feb 4, 2026
ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx High
CVE-2026-24512 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx vulnerable to Allocation of Resources Without Limits or Throttling Moderate
CVE-2026-24514 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx's `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx High
CVE-2026-1580 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx has Improper Check for Unusual or Exceptional Conditions Low
CVE-2026-24513 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints Critical
CVE-2026-25579 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
yunfachi Credited to yunfachi
Navidrome has XSS via comment from song metadata Moderate
CVE-2026-25578 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
AlexGustafsson Credited to AlexGustafsson
melange has a path traversal in license-path which allows reading files outside workspace Moderate
CVE-2026-25145 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal Credited to 1seal, sil2100, antitree, egibs, and eslerm sil2100 sil2100
antitree antitree egibs egibs eslerm eslerm
melange affected by potential host command execution via license-check YAML mode patch pipeline High
CVE-2026-25143 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal Credited to 1seal, egibs, sil2100, and antitree egibs egibs
sil2100 sil2100 antitree antitree
apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams High
CVE-2026-25140 was published for chainguard-dev/apko (Go) Feb 4, 2026
1seal Credited to 1seal, egibs, antitree, and jdolitsky egibs egibs
antitree antitree jdolitsky jdolitsky
apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams Moderate
CVE-2026-25122 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal Credited to 1seal, egibs, antitree, and jdolitsky egibs egibs
antitree antitree jdolitsky jdolitsky
apko has a path traversal in apko dirFS which allows filesystem writes outside base High
CVE-2026-25121 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal Credited to 1seal, jdolitsky, antitree, xornivore, eslerm, egibs, and stevebeattie jdolitsky jdolitsky
antitree antitree xornivore xornivore eslerm eslerm egibs egibs stevebeattie stevebeattie
melange pipeline working-directory could allow command injection High
CVE-2026-24844 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal Credited to 1seal, antitree, egibs, 89luca89, and eslerm antitree antitree
egibs egibs 89luca89 89luca89 eslerm eslerm
melange QEMU runner could write files outside workspace directory High
CVE-2026-24843 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal Credited to 1seal, antitree, egibs, 89luca89, and eslerm antitree antitree
egibs egibs 89luca89 89luca89 eslerm eslerm
PrestaShop affected by time based enumeration in FO login form Moderate
CVE-2026-25597 was published for prestashop/prestashop (Composer) Feb 3, 2026
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
Qwik City Open Redirect via fixTrailingSlash Low
CVE-2026-25149 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen Credited to wodzen
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation Moderate
CVE-2026-25151 was published for @builder.io/qwik-city (npm) Feb 3, 2026
KageShiron Credited to KageShiron
Prototype Pollution via FormData Processing in Qwik City Critical
CVE-2026-25150 was published for @builder.io/qwik-city (npm) Feb 3, 2026
yueyueL Credited to yueyueL
Qwik SSR XSS via Unsafe Virtual Node Serialization Moderate
CVE-2026-25148 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen Credited to wodzen
@isaacs/brace-expansion has Uncontrolled Resource Consumption High
CVE-2026-25547 was published for @isaacs/brace-expansion (npm) Feb 3, 2026
Jvr2022 Credited to Jvr2022 and intrigus-lgtm intrigus-lgtm intrigus-lgtm
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database