Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,101 advisories

Loading
terraform-provider-proxmox has insecure sudo recommendation in the documentation High
CVE-2026-25499 was published for github.com/bpg/terraform-provider-proxmox (Go) Feb 2, 2026
lucasmaurice Credited to lucasmaurice
@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks High
CVE-2026-25153 was published for @backstage/plugin-techdocs-node (npm) Feb 2, 2026
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE Critical
CVE-2026-25142 was published for @nyariv/sandboxjs (npm) Feb 2, 2026
c0rydoras Credited to c0rydoras
OpenList has Insecure TLS Default Configuration High
CVE-2026-25060 was published for github.com/OpenListTeam/OpenList/v4 (Go) Feb 2, 2026
XlabAITeam Credited to XlabAITeam, dezhishen, KirCute, jyxjjj, A7um, pkuGenuine, and keenanwgn dezhishen dezhishen
KirCute KirCute jyxjjj jyxjjj A7um A7um pkuGenuine pkuGenuine keenanwgn keenanwgn
OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking High
CVE-2026-24051 was published for go.opentelemetry.io/otel/sdk (Go) Feb 2, 2026
MorielHarush Credited to MorielHarush, pellared, and arminru pellared pellared
arminru arminru
OpenList vulnerable to Path Traversal in file copy and remove handlers High
CVE-2026-25059 was published for github.com/OpenListTeam/OpenList/v4 (Go) Feb 2, 2026
XlabAITeam Credited to XlabAITeam, KirCute, dezhishen, Suyunmeng, jyxjjj, A7um, pkuGenuine, and keenanwgn KirCute KirCute
dezhishen dezhishen Suyunmeng Suyunmeng jyxjjj jyxjjj A7um A7um pkuGenuine pkuGenuine keenanwgn keenanwgn
Crafter CMS has Improper Control of Dynamically-Managed Code Resources Moderate
CVE-2026-1770 was published for org.craftercms:craftercms (Maven) Feb 2, 2026
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution High
CVE-2026-24737 was published for jspdf (npm) Feb 2, 2026
ahmetartuc Credited to ahmetartuc
jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder High
CVE-2026-24133 was published for jspdf (npm) Feb 2, 2026
KarimTantawey Credited to KarimTantawey
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation) Moderate
CVE-2026-24043 was published for jspdf (npm) Feb 2, 2026
KarimTantawey Credited to KarimTantawey
jsPDF has Shared State Race Condition in addJS Plugin Moderate
CVE-2026-24040 was published for jspdf (npm) Feb 2, 2026
KarimTantawey Credited to KarimTantawey
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View High
CVE-2026-23997 was published for facturascripts/facturascripts (Composer) Feb 2, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
Signal K set-system-time plugin vulnerable to RCE - Command Injection Critical
CVE-2026-23515 was published for @signalk/set-system-time (npm) Feb 2, 2026
cchheang Credited to cchheang
FacturaScripts is Vulnerable to Reflected XSS Moderate
CVE-2026-23476 was published for facturascripts/facturascripts (Composer) Feb 2, 2026
h4cd0c Credited to h4cd0c
vLLM has RCE In Video Processing Critical
CVE-2026-22778 was published for vllm (pip) Feb 2, 2026
dan-sec-ops Credited to dan-sec-ops, DarkLight1337, and russellb DarkLight1337 DarkLight1337
russellb russellb
Khoj has an IDOR in Notion OAuth Flow that Enables Index Poisoning Moderate
CVE-2025-69207 was published for khoj (pip) Feb 2, 2026
Cillian-Collins Credited to Cillian-Collins
pip Path Traversal vulnerability Low
CVE-2026-1703 was published for pip (pip) Feb 2, 2026
@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator Moderate
CVE-2026-25152 was published for @backstage/plugin-techdocs-node (npm) Feb 2, 2026
mlflow Creates of Temporary File in Directory with Insecure Permissions High
CVE-2025-10279 was published for mlflow (pip) Feb 2, 2026
Hugging Face Text Generation Inference vulnerable to Uncontrolled Resource Consumption High
CVE-2026-0599 was published for text-generation (pip) Feb 2, 2026
H2O has an External Control of File Name or Path vulnerability Critical
CVE-2024-5986 was published for ai.h2o:h2o-core (Maven) Feb 2, 2026
llama-index-core vulnerable to Uncontrolled Resource Consumption Moderate
CVE-2025-6208 was published for llama-index-core (pip) Feb 2, 2026
Lollms has an Improper Access Control vulnerability High
CVE-2026-1117 was published for lollms (pip) Feb 2, 2026
Keycloak Server-Side Request Forgery (SSRF) vulnerability Low
CVE-2026-1518 was published for org.keycloak:keycloak-parent (Maven) Feb 2, 2026
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes Low
CVE-2025-13881 was published for org.keycloak:keycloak-services (Maven) Feb 2, 2026
eminaktas Credited to eminaktas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database