Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,101 advisories

Loading
foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set High
CVE-2026-1531 was published for foreman_kubevirt (RubyGems) Feb 2, 2026
fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation High
CVE-2026-1530 was published for fog-kubevirt (RubyGems) Feb 2, 2026
RaspAP raspap-webgui contains an OS Command Injection vulnerability High
CVE-2026-24788 was published for billz/raspap-webgui (Composer) Feb 2, 2026
Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl High
GHSA-r2c6-8jc8-g32w was published for clawdbot (npm) Feb 2, 2026 withdrawn
Rancher CLI skips TLS verification on Rancher CLI login command High
CVE-2025-67601 was published for github.com/rancher/rancher (Go) Feb 1, 2026
LobeHub Vulnerable to Improper Authorization in Presigned Upload Moderate
CVE-2026-23835 was published for @lobehub/chat (npm) Feb 1, 2026
uko3211 Credited to uko3211
Salt Authentication Protocol Version Downgrade Allows Minion Impersonation High
CVE-2025-62349 was published for salt (pip) Jan 30, 2026
geopandas SQL Injection Vulnerability in to_postgis() Allows Information Disclosure High
CVE-2025-69662 was published for geopandas (pip) Jan 30, 2026
Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload High
CVE-2025-62348 was published for salt (pip) Jan 30, 2026
PsySH has Local Privilege Escalation via CWD .psysh.php auto-load Moderate
CVE-2026-25129 was published for psy/psysh (Composer) Jan 30, 2026
aqhmal Credited to aqhmal
Orval has Code Injection via unsanitized x-enum-descriptions using JS comments Critical
CVE-2026-25141 was published for @orval/core (npm) Jan 30, 2026
progfay Credited to progfay and k14uz k14uz k14uz
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection Critical
CVE-2026-25130 was published for cai-framework (pip) Jan 30, 2026
FailButWin Credited to FailButWin and 0x5t 0x5t 0x5t
fast-xml-parser has RangeError DoS Numeric Entities Bug High
CVE-2026-25128 was published for fast-xml-parser (npm) Jan 30, 2026
mistersiddd Credited to mistersiddd
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy Low
CVE-2026-25050 was published for @vendure/core (npm) Jan 30, 2026
Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names High
CVE-2024-4027 was published for io.undertow:undertow-core (Maven) Jan 30, 2026
za-rudeboy Credited to za-rudeboy
Umbraco.Forms has Path Traversal and File Enumeration Vulnerabilities in Linux/Mac Moderate
CVE-2026-24687 was published for Umbraco.Forms (NuGet) Jan 30, 2026
Llama Stack exposes secret in initialization log Low
CVE-2026-25211 was published for llama-stack (pip) Jan 30, 2026
deepHas vulnerable to Prototype Pollution via constructor.prototype Critical
CVE-2026-25047 was published for deephas (npm) Jan 29, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction Moderate
CVE-2026-24846 was published for github.com/chainguard-dev/malcontent (Go) Jan 29, 2026
1seal Credited to 1seal, egibs, antitree, stevebeattie, and eslerm egibs egibs
antitree antitree stevebeattie stevebeattie eslerm eslerm
malcontent OCI image pull credential exfiltration via malicious registry token realm Moderate
CVE-2026-24845 was published for github.com/chainguard-dev/malcontent (Go) Jan 29, 2026
1seal Credited to 1seal, egibs, antitree, stevebeattie, and eslerm egibs egibs
antitree antitree stevebeattie stevebeattie eslerm eslerm
Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure) Critical
GHSA-vg9h-jx4v-cwx2 was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team Credited to mobasi-team
Unfurl's unbounded zlib decompression allows decompression bomb DoS Moderate
GHSA-h5qv-qjv4-pc5m was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team Credited to mobasi-team
Juju has broken CMR authorization Low
CVE-2026-1237 was published for github.com/juju/juju (Go) Jan 29, 2026
Maker.js has Unsafe Property Copying in makerjs.extendObject Moderate
CVE-2026-24888 was published for makerjs (npm) Jan 29, 2026
hayageek Credited to hayageek
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE Critical
CVE-2026-25539 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 29, 2026
thxtech Credited to thxtech
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database