Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,938 advisories

Loading
n8n has OS Command Injection in Git Node Critical
CVE-2026-25053 was published for n8n (npm) Feb 4, 2026
fatihhcelik simonkoeck
yadhukrishnam
Credited to fatihhcelik, simonkoeck, and yadhukrishnam
n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users Critical
CVE-2026-25052 was published for n8n (npm) Feb 4, 2026
theolelasseux
Credited to theolelasseux
n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS High
CVE-2026-25051 was published for n8n (npm) Feb 4, 2026
weblover12
Credited to weblover12
n8n Has Expression Escape Vulnerability Leading to RCE Critical
CVE-2026-25049 was published for n8n (npm) Feb 4, 2026
fatihhcelik eilonc-pillar
cristianstaicu sandeepl337 nickcopi joshft yadhukrishnam doyler zolbooo nnfrog
Credited to fatihhcelik, eilonc-pillar, cristianstaicu, sandeepl337, nickcopi, joshft, yadhukrishnam, doyler, zolbooo, and nnfrog
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` High
CVE-2026-23897 was published for @apollo/server (npm) Feb 4, 2026
ChALkeR
Credited to ChALkeR
n8n Vulnerable to Command Injection in Community Package Installation Critical
CVE-2026-21893 was published for n8n (npm) Feb 4, 2026
berkdedekarginoglu
Credited to berkdedekarginoglu
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner High
CVE-2025-61917 was published for n8n (npm) Feb 4, 2026
Neo4j Enterprise and Community vulnerable to a potential information disclosure Moderate
CVE-2026-1622 was published for org.neo4j:neo4j (Maven) Feb 4, 2026
Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability Moderate
CVE-2026-24735 was published for github.com/apache/answer (Go) Feb 4, 2026
ingress-nginx's `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx High
CVE-2026-1580 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx vulnerable to Allocation of Resources Without Limits or Throttling Moderate
CVE-2026-24514 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx has Improper Check for Unusual or Exceptional Conditions Low
CVE-2026-24513 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx High
CVE-2026-24512 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints Critical
CVE-2026-25579 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
yunfachi
Credited to yunfachi
Navidrome has XSS via comment from song metadata Moderate
CVE-2026-25578 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
AlexGustafsson
Credited to AlexGustafsson
melange has a path traversal in license-path which allows reading files outside workspace Moderate
CVE-2026-25145 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal sil2100
antitree egibs eslerm
Credited to 1seal, sil2100, antitree, egibs, and eslerm
melange affected by potential host command execution via license-check YAML mode patch pipeline High
CVE-2026-25143 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal egibs
sil2100 antitree
Credited to 1seal, egibs, sil2100, and antitree
apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams High
CVE-2026-25140 was published for chainguard-dev/apko (Go) Feb 4, 2026
1seal egibs
antitree jdolitsky
Credited to 1seal, egibs, antitree, and jdolitsky
apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams Moderate
CVE-2026-25122 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal egibs
antitree jdolitsky
Credited to 1seal, egibs, antitree, and jdolitsky
apko has a path traversal in apko dirFS which allows filesystem writes outside base High
CVE-2026-25121 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal jdolitsky
antitree xornivore eslerm egibs stevebeattie
Credited to 1seal, jdolitsky, antitree, xornivore, eslerm, egibs, and stevebeattie
melange pipeline working-directory could allow command injection High
CVE-2026-24844 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal antitree
egibs 89luca89 eslerm
Credited to 1seal, antitree, egibs, 89luca89, and eslerm
melange QEMU runner could write files outside workspace directory High
CVE-2026-24843 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal antitree
egibs 89luca89 eslerm
Credited to 1seal, antitree, egibs, 89luca89, and eslerm
PrestaShop affected by time based enumeration in FO login form Moderate
CVE-2026-25597 was published for prestashop/prestashop (Composer) Feb 3, 2026
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
Qwik City Open Redirect via fixTrailingSlash Low
CVE-2026-25149 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen
Credited to wodzen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database