Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,101 advisories

Loading
SageMaker Python SDK has Insecure TLS Configuration High
CVE-2026-1778 was published for sagemaker (pip) Feb 2, 2026
Magento's X-Original-Url header can expose admin url Moderate
CVE-2026-25523 was published for openmage/magento-lts (Composer) Feb 2, 2026
anees0xdev Credited to anees0xdev
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25522 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation Moderate
CVE-2026-25490 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation Moderate
CVE-2026-25489 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25488 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation Moderate
CVE-2026-25487 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation Moderate
CVE-2026-25486 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25485 was published for craftcms/composer (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS in Product Type Name Moderate
CVE-2026-25484 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration Moderate
CVE-2026-25483 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget) Moderate
CVE-2026-25482 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am Credited to mHe4am
SignalK Server has Path Traversal leading to information disclosure Moderate
CVE-2026-25228 was published for signalk-server (npm) Feb 2, 2026
cchheang Credited to cchheang
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream Low
CVE-2026-25224 was published for fastify (npm) Feb 2, 2026
mcollina Credited to mcollina and onlybugs05 onlybugs05 onlybugs05
Fastify's Content-Type header tab character allows body validation bypass High
CVE-2026-25223 was published for fastify (npm) Feb 2, 2026
jsumners Credited to jsumners
locutus is vulnerable to Prototype Pollution Critical
CVE-2026-25521 was published for locutus (npm) Feb 2, 2026
kevgeoleo Credited to kevgeoleo, reallyTG, vdata1, and cristianstaicu reallyTG reallyTG
vdata1 vdata1 cristianstaicu cristianstaicu
cert-manager-controller DoS via Specially Crafted DNS Response Moderate
CVE-2026-25518 was published for github.com/cert-manager/cert-manager (Go) Feb 2, 2026
1seal Credited to 1seal and SgtCoDFish SgtCoDFish SgtCoDFish
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons Credited to Far-Horizons
CI4MS Vulnerable to User Email Enumeration via Password Reset Flow Moderate
CVE-2026-25509 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons Credited to Far-Horizons
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication Critical
CVE-2026-25505 was published for bambuddy (pip) Feb 2, 2026
Speenah Credited to Speenah
WireGuard Portal v2 has Open Redirect Vulnerability in OAuth Authentication Flow Moderate
GHSA-grh9-37g7-53mj was published for github.com/h44z/wg-portal (Go) Feb 2, 2026
coolsarne Credited to coolsarne and floerer floerer floerer
picklescan vulnerable to arbitrary file create using logging.FileHandler Moderate
GHSA-m7j5-r2p5-c39r was published for picklescan (pip) Feb 2, 2026
ez-lbz Credited to ez-lbz
picklescan missing detection by simple obfuscation of a `builtins.eval` call High
GHSA-9m3x-qqw2-h32h was published for picklescan (pip) Feb 2, 2026
ogrisel Credited to ogrisel
Langroid has WAF Bypass Leading to RCE in TableChatAgent Critical
CVE-2026-25481 was published for langroid (pip) Feb 2, 2026
Ka7arotto Credited to Ka7arotto
ml-dsa's UseHint function has off by two error when r0 equals zero Moderate
GHSA-h37v-hp6w-2pp8 was published for ml-dsa (Rust) Feb 2, 2026
XoifaiI Credited to XoifaiI
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database