Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,938 advisories

Loading
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0
Credited to xtle0o0
Antrea has invalid enforcement order for network policy rules caused by integer overflow High
CVE-2026-25804 was published for antrea.io/antrea (Go) Feb 6, 2026
antoninbas
Credited to antoninbas
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal
Credited to 1seal
Duplicate Advisory: Keylime Missing Authentication for Critical Function and Improper Authentication Critical
GHSA-27jc-jmp8-qfw5 was published for keylime (pip) Feb 6, 2026 withdrawn
`uniswap-utils` was removed from crates.io for malicious code Critical
GHSA-x468-phr8-h3p3 was published for uniswap-utils (Rust) Feb 6, 2026
`sha-rust` was removed from crates.io for malicious code Critical
GHSA-3mmg-7c2q-8938 was published for sha-rust (Rust) Feb 6, 2026
`finch-rust` was removed from crates.io for malicious code Critical
GHSA-f8h5-x737-x4xr was published for finch-rust (Rust) Feb 6, 2026
`polymarket-clients-sdk` was removed from crates.io for malicious code Critical
GHSA-382q-fpqh-29f7 was published for polymarket-clients-sdk (Rust) Feb 6, 2026
`evm-units` was removed from crates.io for malicious code Critical
GHSA-6662-54xr-8423 was published for evm-units (Rust) Feb 6, 2026
Blocklist Bypass possible via ECDSA Signature Malleability High
CVE-2026-25793 was published for github.com/slackhq/nebula (Go) Feb 6, 2026
AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection High
CVE-2026-25762 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
ZeroXJacks
Credited to ZeroXJacks
Gogs has authorization bypass in repository deletion API Moderate
CVE-2025-65852 was published for gogs.io/gogs (Go) Feb 6, 2026
Yannis175
Credited to Yannis175
Gogs vulnerable to Stored XSS via Mermaid diagrams High
GHSA-26gq-grmh-6xm6 was published for gogs.io/gogs (Go) Feb 6, 2026
jdomeracki
Credited to jdomeracki
A single post-release of dydx-v4-client contained obfuscated multi-stage loader Critical
GHSA-4f84-67cv-qrv3 was published for dydx-v4-client (pip) Feb 6, 2026
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values High
GHSA-w67g-2h6v-vjgq was published for phlex (RubyGems) Feb 6, 2026
AdonisJS multipart body parsing has Prototype Pollution issue High
CVE-2026-25754 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
RomainLanz
Credited to RomainLanz
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions High
CVE-2026-25723 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection High
CVE-2026-25722 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
[actix-files] Panic triggered by empty Range header in GET request for static file Moderate
GHSA-gcqf-3g44-vc9p was published for actix-files (Rust) Feb 6, 2026
Diomendius JohnTitor
Credited to Diomendius and JohnTitor
actix-files has a possible exposure of information vulnerability Moderate
GHSA-8v2v-wjwg-vx6r was published for actix-files (Rust) Feb 6, 2026
Angelmmiguel JohnTitor
Credited to Angelmmiguel and JohnTitor
client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect Moderate
CVE-2026-25651 was published for client-certificate-auth (npm) Feb 6, 2026
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database