Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,619
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

28,316 advisories

Loading
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding) High
CVE-2026-22037 was published for @fastify/express (npm) Jan 20, 2026
rootxharsh Credited to rootxharsh, Eomm, and mcollina Eomm Eomm
mcollina mcollina
Fastify Middie Middleware Path Bypass High
CVE-2026-22031 was published for @fastify/middie (npm) Jan 20, 2026
rootxharsh Credited to rootxharsh, kamilmysliwiec, Eomm, and mcollina kamilmysliwiec kamilmysliwiec
Eomm Eomm mcollina mcollina
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered High
CVE-2026-21696 was published for github.com/pterodactyl/wings (Go) Jan 20, 2026
danny6167 Credited to danny6167
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks High
CVE-2025-69199 was published for github.com/pterodactyl/wings (Go) Jan 20, 2026
KianBrose Credited to KianBrose
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted Moderate
CVE-2025-69198 was published for pterodactyl/panel (Composer) Jan 20, 2026
vsevolodmelnyk Credited to vsevolodmelnyk and hymaxo hymaxo hymaxo
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect High
CVE-2025-68616 was published for weasyprint (pip) Jan 20, 2026
g4nkd Credited to g4nkd
Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF) Moderate
CVE-2026-1180 was published for org.keycloak:keycloak-adapter-core (Maven) Jan 20, 2026
MineAdmin improperly refreshes tokens Low
CVE-2026-1195 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
MineAdmin May Expose Sensitive Information to an Unauthorized Actor Low
CVE-2026-1196 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
Chainlit contain a server-side request forgery (SSRF) vulnerability High
CVE-2026-22219 was published for chainlit (pip) Jan 20, 2026
MineAdmin has Incorrect Privilege Assignment Low
CVE-2026-1193 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
MineAdmin May Expose Sensitive Information to an Unauthorized Actor Moderate
CVE-2026-1194 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
Apache Linkis: Password Exposure Moderate
CVE-2025-59355 was published for org.apache.linkis:linkis-metadata (Maven) Jan 19, 2026
Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass High
CVE-2025-29847 was published for org.apache.linkis:linkis (Maven) Jan 19, 2026
Open Chinese Convert has Out-of-bounds Write Low
CVE-2025-15536 was published for opencc (npm) Jan 18, 2026
risesoft-y9 Digital-Infrastructure has a SQL injection vulnerability Moderate
CVE-2026-1050 was published for net.risesoft:risenet-y9boot-support-platform-service (Maven) Jan 17, 2026
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization High
CVE-2026-23745 was published for tar (npm) Jan 16, 2026
Jvr2022 Credited to Jvr2022
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1 Credited to c2an1
GraphQL Modules has a Race Condition issue High
CVE-2026-23735 was published for graphql-modules (npm) Jan 16, 2026
DuckThom Credited to DuckThom, enisdenjo, and ardatan enisdenjo enisdenjo
ardatan ardatan
Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM Moderate
GHSA-38cw-85xc-xr9x was published for @veramo/data-store (npm) Jan 16, 2026
rekter0 Credited to rekter0
Skipper is vulnerable to arbitrary code execution through lua filters High
CVE-2026-23742 was published for github.com/zalando/skipper (Go) Jan 16, 2026
moyushui Credited to moyushui and b0b0haha b0b0haha b0b0haha
svelte is vulnerable to XSS with textarea bind:value High
GHSA-gw32-9rmw-qwww was published for svelte (npm) Jan 16, 2026
coyotte508 Credited to coyotte508, Conduitry, and benmccann Conduitry Conduitry
benmccann benmccann
CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting Moderate
CVE-2026-23643 was published for cakephp/cakephp (Composer) Jan 16, 2026
phpcss-ankue Credited to phpcss-ankue and markstory markstory markstory
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
CVE-2026-26216 was published for Crawl4AI (pip) Jan 16, 2026
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs Critical
CVE-2026-26217 was published for crawl4ai (pip) Jan 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database