Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder Moderate
CVE-2026-30883 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 10, 2026
Mcsky23 Credited to Mcsky23
Elysia has a string URL format ReDoS High
CVE-2026-30837 was published for elysia (npm) Mar 10, 2026
EdamAme-x Credited to EdamAme-x
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter Critical
CVE-2026-29793 was published for @feathersjs/mongodb (npm) Mar 10, 2026
sofianeelhor Credited to sofianeelhor
Feathers has an OAuth Callback Account Takeover issue Critical
CVE-2026-29792 was published for @feathersjs/authentication-oauth (npm) Mar 10, 2026
sofianeelhor Credited to sofianeelhor
ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder Moderate
CVE-2026-28692 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 10, 2026
ylwango613 Credited to ylwango613
ImageMagick has a Path Policy TOCTOU symlink race bypass Moderate
CVE-2026-28689 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 10, 2026
andsopwn Credited to andsopwn
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment Critical
CVE-2026-27825 was published for mcp-atlassian (pip) Mar 10, 2026
yotampe-pluto Credited to yotampe-pluto and gil-maman-p gil-maman-p gil-maman-p
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers High
CVE-2026-27826 was published for mcp-atlassian (pip) Mar 10, 2026
yotampe-pluto Credited to yotampe-pluto and gil-maman-p gil-maman-p gil-maman-p
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE Critical
CVE-2026-28292 was published for simple-git (npm) Mar 10, 2026
CodeAnt-AI-Security Credited to CodeAnt-AI-Security
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly Moderate
CVE-2026-26330 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
phlax Credited to phlax, yanavlasov, botengyao, and agrawroh yanavlasov yanavlasov
botengyao botengyao agrawroh agrawroh
Envoy: HTTP - filter chain execution on reset streams causing UAF crash Moderate
CVE-2026-26311 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
MushroomWasp Credited to MushroomWasp, agrawroh, yanavlasov, botengyao, and phlax agrawroh agrawroh
yanavlasov yanavlasov botengyao botengyao phlax phlax
Vaadin: Specially crafted ZIP archives can escape the intended extraction directory Low
CVE-2026-2741 was published for com.vaadin:flow-project (Maven) Mar 10, 2026
Duplicate Advisory: Microsoft Security Advisory CVE-2026-26131 – .NET Elevation of Privilege Vulnerability High
GHSA-387c-qmrw-59qv was published for Microsoft.NetCore.App.Runtime.linux-arm (NuGet) Mar 10, 2026 withdrawn
Duplicate Advisory: .NET Denial of Service Vulnerability High
GHSA-vh8f-65qg-3m8j was published for Microsoft.AspNetCore.App.Runtime.linux-arm (NuGet) Mar 10, 2026 withdrawn
Duplicate Advisory: .NET Denial of Service Vulnerability High
GHSA-c8gq-rhqh-wgwm was published for Microsoft.Bcl.Memory (NuGet) Mar 10, 2026 withdrawn
Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash Moderate
CVE-2026-2742 was published for com.vaadin:flow-server (Maven) Mar 10, 2026
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network High
CVE-2026-26118 was published for @azure/mcp (npm) Mar 10, 2026
alzimmermsft Credited to alzimmermsft and vcolin7 vcolin7 vcolin7
Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function Moderate
CVE-2026-23907 was published for org.apache.pdfbox:pdfbox-examples (Maven) Mar 10, 2026
LimeSurvey is vulnerable to SQL injection High
CVE-2025-56421 was published for limesurvey/limesurvey (Composer) Mar 10, 2026
Envoy affected by off-by-one write in JsonEscaper::escapeString() Moderate
CVE-2026-26309 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
Finder16 Credited to Finder16, agrawroh, phlax, and botengyao agrawroh agrawroh
phlax phlax botengyao botengyao
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation High
CVE-2026-26308 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
botengyao Credited to botengyao, phlax, and agrawroh phlax phlax
agrawroh agrawroh
Parse Server: SQL injection via dot-notation field name in PostgreSQL Critical
CVE-2026-31840 was published for parse-server (npm) Mar 10, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout Low
CVE-2026-29177 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce has stored XSS in Inventory Location Name Moderate
CVE-2026-29176 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database