Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,379
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,574
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,106 advisories

Loading
Gitea improperly exposes issue and pull request titles Low
CVE-2026-20800 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea improperly exposes issue titles and repository names through previously started stopwatches Low
CVE-2026-20883 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface Moderate
CVE-2026-20888 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea has improper access control for uploaded attachments Low
CVE-2026-20736 was published for code.gitea.io/gitea (Go) Jan 23, 2026
Container and Containerization archive extraction does not guard against escapes from extraction base directory. Low
CVE-2026-20613 was published for github.com/apple/container (Swift) Jan 22, 2026
LLfam Credited to LLfam
Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue Low
CVE-2026-26188 was published for solspace/craft-freeform (Composer) Jan 22, 2026
Pr4v33N-Sec Credited to Pr4v33N-Sec and kjmartens kjmartens kjmartens
Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide Moderate
CVE-2025-22234 was published for org.springframework.security:spring-security-core (Maven) Jan 22, 2026
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal Moderate
CVE-2026-24137 was published for github.com/sigstore/sigstore (Go) Jan 22, 2026
1seal Credited to 1seal
Incus container image templating arbitrary host file read and write High
CVE-2026-23954 was published for github.com/lxc/incus/v6/cmd/incusd (Go) Jan 22, 2026
rmcnamara-snyk Credited to rmcnamara-snyk and stgraber stgraber stgraber
Incus container environment configuration newline injection High
CVE-2026-23953 was published for github.com/lxc/incus/v6 (Go) Jan 22, 2026
rmcnamara-snyk Credited to rmcnamara-snyk and stgraber stgraber stgraber
Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL Moderate
CVE-2026-24117 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal Credited to 1seal
Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message Moderate
CVE-2026-23831 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal Credited to 1seal
Sentencepiece has a a heap overflow issue High
CVE-2026-1260 was published for sentencepiece (pip) Jan 22, 2026
orjson does not limit recursion for deeply nested JSON documents High
CVE-2025-67221 was published for orjson (pip) Jan 22, 2026
jrafkind-ai Credited to jrafkind-ai and bluestealth bluestealth bluestealth
Beam Exposes sensitive information via joinCleanPath function Moderate
CVE-2025-69820 was published for github.com/beam-cloud/beta9 (Go) Jan 22, 2026
Orval Mock Generation Code Injection via const High
CVE-2026-24132 was published for @orval/mock (npm) Jan 22, 2026
k14uz Credited to k14uz
Moonraker affected by LDAP search filter injection Low
CVE-2026-24130 was published for moonraker (pip) Jan 22, 2026
solovvway Credited to solovvway
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions High
GHSA-3v2x-9xcv-2v2v was published for surrealdb (Rust) Jan 22, 2026
cure53 Credited to cure53 and gguillemas gguillemas gguillemas
Umbraco.Forms CDN may cache sensitive form uploads when processed by ImageSharp Low
GHSA-7jxj-rpx7-ph2c was published for Umbraco.Forms (NuGet) Jan 22, 2026
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha Credited to b0b0haha and gaius-qi gaius-qi gaius-qi
Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack High
CVE-2026-24049 was published for wheel (pip) Jan 22, 2026
kilkat Credited to kilkat, henryiii, agronholm, and frenzymadness henryiii henryiii
agronholm agronholm frenzymadness frenzymadness
docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage High
CVE-2026-24009 was published for docling-core (pip) Jan 22, 2026
avioligo Credited to avioligo, vagenas, PeterStaar-IBM, dolfim-ibm, and tiran vagenas vagenas
PeterStaar-IBM PeterStaar-IBM dolfim-ibm dolfim-ibm tiran tiran
Seroval affected by Denial of Service via Deeply Nested Objects High
CVE-2026-24006 was published for seroval (npm) Jan 22, 2026
lxsmnsyc Credited to lxsmnsyc and tweidinger tweidinger tweidinger
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass High
CVE-2025-65098 was published for @typebot.io/js (npm) Jan 22, 2026
Deyvi-dev Credited to Deyvi-dev
Logback allows an attacker to instantiate classes already present on the class path Low
CVE-2026-1225 was published for ch.qos.logback:logback-core (Maven) Jan 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database