Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
48
GitHub Actions
48
Go
3,391
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,614
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,209 advisories

Loading
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution Critical
CVE-2026-1470 was published for n8n (npm) Jan 27, 2026
askbot inexhaustive permissions check allows any user to modify a different user's profile picture Moderate
CVE-2026-1213 was published for askbot (pip) Jan 27, 2026
weixin4j has Improperly Controlled Sequential Memory Allocation Moderate
CVE-2026-24819 was published for com.foxinmy:weixin4j-base (Maven) Jan 27, 2026
Quick-Media Batik Codec FIX package has Code Injection vulnerability Moderate
CVE-2026-24806 was published for com.github.liuyueyi.media:batik-codec-fix (Maven) Jan 27, 2026
jsonrpc4j has Infinite Loop in RPC Stream Writer Moderate
CVE-2026-24802 was published for com.github.briandilley.jsonrpc4j:jsonrpc4j (Maven) Jan 27, 2026
Quick-Media Batik Codec FIX Package has Buffer Overflow Vulnerability in PNG Codec Moderate
CVE-2026-24807 was published for com.github.liuyueyi.media:batik-codec-fix (Maven) Jan 27, 2026
oneshot has potential Use After Free when used asynchronously High
GHSA-rvr2-r3pv-5m4p was published for oneshot (Rust) Jan 27, 2026
gmrtd ReadFile Vulnerable to Denial of Service via Excessive TLV Length Values Moderate
CVE-2026-24738 was published for github.com/gmrtd/gmrtd (Go) Jan 27, 2026
ramrunner Credited to ramrunner
Dozzle Agent Label-Based Access Control Bypass Allows Unauthorized Container Shell Access High
CVE-2026-24740 was published for github.com/amir20/dozzle (Go) Jan 27, 2026
k14uz Credited to k14uz
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64 Moderate
CVE-2026-24116 was published for wasmtime (Rust) Jan 27, 2026
louismerlin Credited to louismerlin
go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names Moderate
CVE-2026-24686 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 26, 2026
1seal Credited to 1seal, rdimitrov, and kommendorkapten rdimitrov rdimitrov
kommendorkapten kommendorkapten
pypdf has possible Infinite Loop when processing outlines/bookmarks Moderate
CVE-2026-24688 was published for pypdf (pip) Jan 26, 2026
JoakimBulow Credited to JoakimBulow and stefan6419846 stefan6419846 stefan6419846
MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field High
CVE-2026-24490 was published for mobsf (pip) Jan 26, 2026
smaranchand Credited to smaranchand
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE Critical
GHSA-cr3w-cw5w-h3fj was published for @saltcorn/server (npm) Jan 26, 2026
Mathis-Z Credited to Mathis-Z
Gakido vulnerable to HTTP Header Injection (CRLF Injection) Moderate
CVE-2026-24489 was published for gakido (pip) Jan 26, 2026
omarkurt Credited to omarkurt
Python-Multipart has Arbitrary File Write via Non-Default Configuration High
CVE-2026-24486 was published for python-multipart (pip) Jan 26, 2026
mwlik Credited to mwlik and imenyoo2 imenyoo2 imenyoo2
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName High
CVE-2026-24470 was published for github.com/zalando/skipper (Go) Jan 26, 2026
b0b0haha Credited to b0b0haha, moyushui, and j311yl0v3u moyushui moyushui
j311yl0v3u j311yl0v3u
sigstore CSRF possibility in OIDC authentication during signing Low
CVE-2026-24408 was published for sigstore (pip) Jan 26, 2026
jku Credited to jku
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion High
CVE-2026-24400 was published for org.assertj:assertj-core (Maven) Jan 26, 2026
wxt201 Credited to wxt201 and scordio scordio scordio
Hibernate Reactive Vulnerable to DoS via Connection Pool Exhaustion Moderate
CVE-2025-14969 was published for org.hibernate.reactive:hibernate-reactive-core (Maven) Jan 26, 2026
KubeVirt Guest Agent DoS via Excessive Network Interface Reports Moderate
CVE-2025-14525 was published for kubevirt.io/kubevirt (Go) Jan 26, 2026
Duplicate Advisory: go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data Moderate
GHSA-86rf-68f4-2cph was published for github.com/go-viper/mapstructure/v2 (Go) Jan 26, 2026 withdrawn
GI-DocGen vulnerable to Reflected XSS via unescaped query strings Moderate
CVE-2025-11687 was published for gi-docgen (pip) Jan 26, 2026
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods Low
CVE-2026-1190 was published for org.keycloak:keycloak-services (Maven) Jan 26, 2026
Duplicate Advisory: gix-date can create non-utf8 string with `TimeBuf::as_str` Moderate
GHSA-8rgq-m2pm-jvmg was published for gix-date (Rust) Jan 26, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database