Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,805
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,351
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,485 advisories

Loading
Fleet: IP spoofing allows bypassing API rate limiting Moderate
CVE-2026-46356 was published for github.com/fleetdm/fleet (Go) May 14, 2026
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration High
CVE-2026-41249 was published for coreshop/core-shop (Composer) May 14, 2026
smiotani-aeyesec Credited to smiotani-aeyesec
Strapi may leak sensitive data via relational filtering due to lack of query sanitization Critical
CVE-2026-27886 was published for @strapi/strapi (npm) May 14, 2026
WildWestCyberSecurity Credited to WildWestCyberSecurity, innerdvations, derrickmehaffy, and nclsndr innerdvations innerdvations
derrickmehaffy derrickmehaffy nclsndr nclsndr
Fleet vulnerable to OS command injection in software packages Moderate
CVE-2026-26191 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet server may terminate unexpectedly when handling certain gRPC requests High
CVE-2026-26062 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass High
CVE-2026-24899 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
Fleet has a rate limiting bypass via untrusted client IP headers Moderate
CVE-2026-24000 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet has a Windows MDM management endpoint authentication bypass High
CVE-2026-23998 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Strapi Upload Plugin MIME Validation Bypass via Content API Moderate
CVE-2026-22707 was published for @strapi/upload (npm) May 14, 2026
kaminuma Credited to kaminuma and arkmarta arkmarta arkmarta
Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading Critical
CVE-2026-8178 was published for com.amazon.redshift:redshift-jdbc42 (Maven) May 14, 2026
Fushuling Credited to Fushuling
Absinthe: Quadratic fragment-name uniqueness check High
CVE-2026-43967 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
Absinthe: Unbounded atom creation from parsed directive name High
CVE-2026-42793 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions Low
CVE-2026-22706 was published for @strapi/admin (npm) May 13, 2026
zaddy6 Credited to zaddy6, arthurgervais, derrickmehaffy, and AndyAnh174 arthurgervais arthurgervais
derrickmehaffy derrickmehaffy AndyAnh174 AndyAnh174
Strapi Vulnerable to SQL Injection in Content Type Builder Critical
CVE-2026-22599 was published for @strapi/content-type-builder (npm) May 13, 2026
whiteov3rflow Credited to whiteov3rflow, derrickmehaffy, and markkaylor derrickmehaffy derrickmehaffy
markkaylor markkaylor
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying Moderate
CVE-2025-64526 was published for @strapi/plugin-users-permissions (npm) May 13, 2026
adriatikii Credited to adriatikii and derrickmehaffy derrickmehaffy derrickmehaffy
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
Anchor: `InterfaceAccount` allows account substitution between unexpected types High
GHSA-429q-fhh4-r6hj was published for anchor-lang (Rust) May 13, 2026
acheroncrypto Credited to acheroncrypto
wger has an Uncontrolled Resource Consumption issue Moderate
GHSA-v25j-wqcw-fvhj was published for wger (pip) May 13, 2026
KadirArslan Credited to KadirArslan
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy Critical
CVE-2026-45083 was published for io.goobi.viewer:viewer-core (Maven) May 13, 2026
uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution High
CVE-2026-45152 was published for gitlab.com/uniget-org/cli (Go) May 13, 2026
0x5t4l1n Credited to 0x5t4l1n
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode Moderate
CVE-2026-45148 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk Moderate
CVE-2026-45147 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server Critical
GHSA-vw82-7fv8-r6gp was published for github.com/obot-platform/obot (Go) May 13, 2026
Anchor: Program<'info, System> is not properly validated High
CVE-2026-45137 was published for anchor-lang (Rust) May 13, 2026
Matthias1590 Credited to Matthias1590
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database