Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,619
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

28,316 advisories

Loading
ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component Moderate
CVE-2026-23833 was published for esphome (pip) Jan 21, 2026
Mat931 Credited to Mat931
Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user Moderate
CVE-2026-23877 was published for swingmusic (pip) Jan 21, 2026
d-virtuosa Credited to d-virtuosa
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login Moderate
CVE-2026-23849 was published for github.com/filebrowser/filebrowser (Go) Jan 21, 2026
GUCHIHACKER Credited to GUCHIHACKER and hacdias hacdias hacdias
SiYuan vulnerable to Arbitrary file Read / SSRF High
CVE-2026-23850 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
abdoghazy2015 Credited to abdoghazy2015, xtromera, and A-Z4ki xtromera xtromera
A-Z4ki A-Z4ki
SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality High
CVE-2026-23851 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API Moderate
CVE-2026-23845 was published for github.com/axllent/mailpit (Go) Jan 21, 2026
mdisec Credited to mdisec and omarkurt omarkurt omarkurt
Orval has a code injection via unsanitized x-enum-descriptions in enum generation Critical
CVE-2026-23947 was published for @orval/core (npm) Jan 21, 2026
k14uz Credited to k14uz and ZipJo ZipJo ZipJo
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon Low
CVE-2026-23847 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation Moderate
CVE-2026-21852 was published for @anthropic-ai/claude-code (npm) Jan 21, 2026
Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy` High
GHSA-8h3q-9fpp-c883 was published for wrangler (npm) Jan 21, 2026 withdrawn
binary-parser library has a code injection vulnerability Moderate
CVE-2026-1245 was published for binary-parser (npm) Jan 20, 2026
sei-vsarvepalli Credited to sei-vsarvepalli
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment Critical
CVE-2026-23518 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and JordanMontgomery JordanMontgomery JordanMontgomery
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and iansltx iansltx iansltx
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability Moderate
CVE-2026-22808 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and iansltx iansltx iansltx
Turbo Frame responses can restore stale session cookies Low
CVE-2025-66803 was published for @hotwired/turbo (npm) Jan 20, 2026
domchristie Credited to domchristie, packagethief, and samoli packagethief packagethief
samoli samoli
ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion High
CVE-2026-23842 was published for chatterbot (pip) Jan 20, 2026
AdityaBhatt3010 Credited to AdityaBhatt3010
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
kevinleturc Credited to kevinleturc
XDocReport affected by an XML External Entity (XXE) vulnerability Critical
CVE-2025-65482 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.document (Maven) Jan 20, 2026
Mailpit has an SMTP Header Injection via Regex Bypass Moderate
CVE-2026-23829 was published for github.com/axllent/mailpit (Go) Jan 20, 2026
omarkurt Credited to omarkurt
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) Critical
CVE-2026-23733 was published for @lobehub/chat (npm) Jan 20, 2026
c2an1 Credited to c2an1
ImageMagick releases an invalid pointer in BilateralBlur when memory allocation fails Moderate
CVE-2026-22770 was published for Magick.NET-Q16-AnyCPU (NuGet) Jan 20, 2026
esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages High
CVE-2026-23644 was published for github.com/esm-dev/esm.sh (Go) Jan 20, 2026
kelbyludwig Credited to kelbyludwig
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion Low
CVE-2026-23522 was published for @lobehub/chat (npm) Jan 20, 2026
DenizParlak Credited to DenizParlak
Kimai has an Authenticated Server-Side Template Injection (SSTI) Moderate
CVE-2026-23626 was published for kimai/kimai (Composer) Jan 20, 2026
HUSEYNKHANLI Credited to HUSEYNKHANLI
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp Credited to evrardjp, budimanjojo, and gusfcarvalho budimanjojo budimanjojo
gusfcarvalho gusfcarvalho
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database