Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
React Router has XSS Vulnerability High
CVE-2025-59057 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting Moderate
CVE-2026-22043 was published for rustfs (Rust) Jan 8, 2026
Threonine Credited to Threonine
RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation Moderate
CVE-2026-22042 was published for rustfs (Rust) Jan 8, 2026
Threonine Credited to Threonine
Kirby is missing permission checks in the content changes API Moderate
CVE-2026-21896 was published for getkirby/cms (Composer) Jan 8, 2026
lukaskleinschmidt Credited to lukaskleinschmidt
NiceGUI has Redis connection leak via tab storage causes service degradation Moderate
CVE-2026-21874 was published for nicegui (pip) Jan 8, 2026
yudelevi Credited to yudelevi and evnchn evnchn evnchn
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS High
CVE-2026-21873 was published for nicegui (pip) Jan 8, 2026
evnchn Credited to evnchn and falkoschindler falkoschindler falkoschindler
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages Moderate
CVE-2025-68151 was published for github.com/coredns/coredns (Go) Jan 8, 2026
thevilledev Credited to thevilledev
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links Moderate
CVE-2026-21872 was published for nicegui (pip) Jan 8, 2026
evnchn Credited to evnchn, xx-mikusan-xx, and falkoschindler xx-mikusan-xx xx-mikusan-xx
falkoschindler falkoschindler
NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace() Moderate
CVE-2026-21871 was published for nicegui (pip) Jan 8, 2026
xx-mikusan-xx Credited to xx-mikusan-xx, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Werkzeug safe_join() allows Windows special device names with compound extensions Moderate
CVE-2026-21860 was published for Werkzeug (pip) Jan 8, 2026
yueyueL Credited to yueyueL and MushroomWasp MushroomWasp MushroomWasp
picklescan has Arbitrary file read using `io.FileIO` High
GHSA-9726-w42j-3qjr was published for picklescan (pip) Jan 8, 2026
shivasurya Credited to shivasurya
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization Moderate
CVE-2026-0707 was published for org.keycloak:keycloak-parent (Maven) Jan 8, 2026
wolfSSL Python module vulnerable to Improper Authentication Critical
CVE-2025-15346 was published for wolfssl (pip) Jan 8, 2026
rhdesmond Credited to rhdesmond
records-mover Injection vulnerability Moderate
CVE-2023-7333 was published for records-mover (pip) Jan 8, 2026
Bio-Formats has an XML External Entity (XXE) vulnerability Moderate
CVE-2026-22186 was published for ome:pom-bio-formats (Maven) Jan 7, 2026
Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing Moderate
CVE-2026-22187 was published for ome:pom-bio-formats (Maven) Jan 7, 2026
`IterMut` violates Stacked Borrows by invalidating internal pointer Low
GHSA-rhfx-m35p-ff5j was published for lru (Rust) Jan 7, 2026
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE High
CVE-2026-22244 was published for org.open-metadata:platform (Maven) Jan 7, 2026
lnlinh31 Credited to lnlinh31, manerow, TeddyCr, and pmbrull manerow manerow
TeddyCr TeddyCr pmbrull pmbrull
CoreShop Vulnerable to SQL Injection via Admin Reports Moderate
CVE-2026-22242 was published for coreshop/core-shop (Composer) Jan 7, 2026
PlyNatwara Credited to PlyNatwara and bypazs bypazs bypazs
loggingredactor converts non-string types to string types in logs Low
CVE-2026-22041 was published for loggingredactor (pip) Jan 7, 2026
armurox Credited to armurox
Preact has JSON VNode Injection issue High
CVE-2026-22028 was published for preact (npm) Jan 7, 2026
Xvezda Credited to Xvezda
n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks Moderate
CVE-2026-21894 was published for n8n (npm) Jan 7, 2026
nkoorty Credited to nkoorty, jjjutla, and geckosecurity jjjutla jjjutla
geckosecurity geckosecurity
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources Moderate
CVE-2026-21885 was published for miniflux.app/v2 (Go) Jan 7, 2026
eclipse07077-ljw Credited to eclipse07077-ljw
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling Critical
CVE-2026-21858 was published for n8n (npm) Jan 7, 2026
dorattias Credited to dorattias
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) High
CVE-2026-21441 was published for urllib3 (pip) Jan 7, 2026
D47A Credited to D47A, illia-v, pquentin, and sethmlarson illia-v illia-v
pquentin pquentin sethmlarson sethmlarson
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database