Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,402
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,631
Pub
13
RubyGems
1,026
Rust
1,205
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,344 advisories

Loading
CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting Moderate
CVE-2026-23643 was published for cakephp/cakephp (Composer) Jan 16, 2026
phpcss-ankue Credited to phpcss-ankue and markstory markstory markstory
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
CVE-2026-26216 was published for Crawl4AI (pip) Jan 16, 2026
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs Critical
CVE-2026-26217 was published for crawl4ai (pip) Jan 16, 2026
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload Moderate
CVE-2026-23645 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 16, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
Active Job - Object injection security vulnerability Moderate
GHSA-mpwp-4h2m-765c was published for activejob (RubyGems) Jan 16, 2026
ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection High
GHSA-5qw5-wf2q-f538 was published for activerecord-jdbc-adapter (RubyGems) Jan 16, 2026
pyasn1 has a DoS vulnerability in decoder High
CVE-2026-23490 was published for pyasn1 (pip) Jan 16, 2026
tsigouris007 Credited to tsigouris007
Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command High
CVE-2026-23535 was published for wlc (pip) Jan 16, 2026
Zee99y Credited to Zee99y and nijel nijel nijel
Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard Moderate
CVE-2026-23528 was published for distributed (pip) Jan 16, 2026
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass High
CVE-2026-22864 was published for deno (Rust) Jan 16, 2026
SharokhAtaie Credited to SharokhAtaie and B14CK-SPID3R B14CK-SPID3R B14CK-SPID3R
Deno node:crypto doesn't finalize cipher Critical
CVE-2026-22863 was published for deno (Rust) Jan 16, 2026
davidebombelli Credited to davidebombelli, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
RustFS's RPC signature verification logs shared secret Low
CVE-2026-22782 was published for rustfs (Rust) Jan 16, 2026
rand-tech Credited to rand-tech
Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-15104 was published for nu.validator:validator (Maven) Jan 16, 2026
augustocesarperin Credited to augustocesarperin
Livewire Filemanager does not restrict uploaded file types High
CVE-2025-14894 was published for livewire-filemanager/filemanager (Composer) Jan 16, 2026
Mattermost is vulnerable to DoS due to infinite re-renders on API errors Moderate
CVE-2025-14435 was published for github.com/mattermost/mattermost-server (Go) Jan 16, 2026
Apache Airflow proxy credentials for various providers might leak in task logs High
CVE-2025-68675 was published for apache-airflow (pip) Jan 16, 2026
Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated High
CVE-2025-68438 was published for apache-airflow (pip) Jan 16, 2026
Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Low
CVE-2025-14822 was published for github.com/mattermost/mattermost-server (Go) Jan 16, 2026
PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams Low
CVE-2026-0858 was published for net.sourceforge.plantuml:plantuml (Maven) Jan 16, 2026
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Moderate
CVE-2026-22045 was published for github.com/traefik/traefik/v2 (Go) Jan 15, 2026
pavelkohout396 Credited to pavelkohout396
solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets Low
GHSA-rwr8-xrpw-9qf5 was published for solspace/craft-freeform (Composer) Jan 15, 2026
solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data Low
GHSA-44jg-mv3h-wj6g was published for solspace/craft-freeform (Composer) Jan 15, 2026
riekusdn Credited to riekusdn
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse High
CVE-2026-22775 was published for devalue (npm) Jan 15, 2026
jviide Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Rich-Harris Rich-Harris
Vert.x Web static handler component cache can be manipulated to deny the access to static files Moderate
CVE-2026-1002 was published for io.vertx:vertx-core (Maven) Jan 15, 2026
yeikel Credited to yeikel
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication Moderate
CVE-2025-68671 was published for github.com/treeverse/lakefs (Go) Jan 15, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database