Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,618
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

28,315 advisories

Loading
Moonraker affected by LDAP search filter injection Low
CVE-2026-24130 was published for moonraker (pip) Jan 22, 2026
solovvway Credited to solovvway
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions High
GHSA-3v2x-9xcv-2v2v was published for surrealdb (Rust) Jan 22, 2026
cure53 Credited to cure53 and geraname geraname geraname
Umbraco.Forms CDN may cache sensitive form uploads when processed by ImageSharp Low
GHSA-7jxj-rpx7-ph2c was published for Umbraco.Forms (NuGet) Jan 22, 2026
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha Credited to b0b0haha and gaius-qi gaius-qi gaius-qi
Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack High
CVE-2026-24049 was published for wheel (pip) Jan 22, 2026
kilkat Credited to kilkat, henryiii, agronholm, and frenzymadness henryiii henryiii
agronholm agronholm frenzymadness frenzymadness
docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage High
CVE-2026-24009 was published for docling-core (pip) Jan 22, 2026
avioligo Credited to avioligo, vagenas, PeterStaar-IBM, dolfim-ibm, and tiran vagenas vagenas
PeterStaar-IBM PeterStaar-IBM dolfim-ibm dolfim-ibm tiran tiran
Seroval affected by Denial of Service via Deeply Nested Objects High
CVE-2026-24006 was published for seroval (npm) Jan 22, 2026
lxsmnsyc Credited to lxsmnsyc and tweidinger tweidinger tweidinger
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass High
CVE-2025-65098 was published for @typebot.io/js (npm) Jan 22, 2026
Deyvi-dev Credited to Deyvi-dev
Logback allows an attacker to instantiate classes already present on the class path Low
CVE-2026-1225 was published for ch.qos.logback:logback-core (Maven) Jan 22, 2026
Soft Serve Affected by an Authentication Bypass High
CVE-2026-24058 was published for github.com/charmbracelet/soft-serve (Go) Jan 21, 2026
juancabe Credited to juancabe and aymanbagabas aymanbagabas aymanbagabas
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton ljharb ljharb
UlisesGascon UlisesGascon falsyvalues falsyvalues jdalton jdalton
Wrangler affected by OS Command Injection in `wrangler pages deploy` High
CVE-2026-0933 was published for wrangler (npm) Jan 21, 2026
yueyueL Credited to yueyueL
OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format Low
GHSA-r92c-9c7f-3pj8 was published for github.com/opentofu/opentofu (Go) Jan 21, 2026
Triton VM has a Soundness Vulnerability due to Improper Sampling of Randomness Low
GHSA-rjr4-v43m-pxq6 was published for triton-vm (Rust) Jan 21, 2026
knqyf263 Credited to knqyf263
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow` Low
CVE-2026-24048 was published for @backstage/backend-defaults (npm) Jan 21, 2026
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass Moderate
CVE-2026-24047 was published for @backstage/cli-common (npm) Jan 21, 2026
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions High
CVE-2026-24046 was published for @backstage/backend-defaults (npm) Jan 21, 2026
FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection Low
CVE-2026-23996 was published for fastapi-api-key (pip) Jan 21, 2026
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims Moderate
CVE-2026-23990 was published for github.com/controlplaneio-fluxcd/flux-operator (Go) Jan 21, 2026
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true Moderate
CVE-2026-23986 was published for copier (pip) Jan 21, 2026
cbrown1234 Credited to cbrown1234 and sisp sisp sisp
Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false Moderate
CVE-2026-23968 was published for copier (pip) Jan 21, 2026
sisp Credited to sisp and cbrown1234 cbrown1234 cbrown1234
Argo Workflows affected by stored XSS in the artifact directory listing High
CVE-2026-23960 was published for github.com/argoproj/argo-workflows (Go) Jan 21, 2026
Masamuneee Credited to Masamuneee
phpPgAdmin contains a remote command execution vulnerability High
CVE-2021-47853 was published for phppgadmin/phppgadmin (Composer) Jan 21, 2026
Seroval affected by Denial of Service via Array serialization High
CVE-2026-23957 was published for seroval (npm) Jan 21, 2026
tweidinger Credited to tweidinger and lxsmnsyc lxsmnsyc lxsmnsyc
seroval affected by Denial of Service via RegExp serialization High
CVE-2026-23956 was published for seroval (npm) Jan 21, 2026
tweidinger Credited to tweidinger and lxsmnsyc lxsmnsyc lxsmnsyc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database