Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,938 advisories

Loading
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation Moderate
CVE-2026-25151 was published for @builder.io/qwik-city (npm) Feb 3, 2026
KageShiron
Credited to KageShiron
Prototype Pollution via FormData Processing in Qwik City Critical
CVE-2026-25150 was published for @builder.io/qwik-city (npm) Feb 3, 2026
yueyueL
Credited to yueyueL
Qwik SSR XSS via Unsafe Virtual Node Serialization Moderate
CVE-2026-25148 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen
Credited to wodzen
@isaacs/brace-expansion has Uncontrolled Resource Consumption High
CVE-2026-25547 was published for @isaacs/brace-expansion (npm) Feb 3, 2026
Jvr2022 intrigus-lgtm
Credited to Jvr2022 and intrigus-lgtm
Claude Code has a Command Injection in find Command Bypasses User Approval Prompt High
CVE-2026-24887 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes High
CVE-2026-24053 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
HtmlSanitizer has a bypass via template tag Moderate
CVE-2026-25543 was published for HtmlSanitizer (NuGet) Feb 3, 2026
nsysean
Credited to nsysean
bytes has integer overflow in BytesMut::reserve Moderate
CVE-2026-25541 was published for bytes (Rust) Feb 3, 2026
ksj1230 Darksonn
seanmonstar
Credited to ksj1230, Darksonn, and seanmonstar
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains High
CVE-2026-24052 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
OpenSTAManager has an SQL Injection in the Stampe Module High
CVE-2025-69215 was published for devcode-it/openstamanager (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
jsonwebtoken has Type Confusion that leads to potential authorization bypass Moderate
CVE-2026-25537 was published for jsonwebtoken (Rust) Feb 3, 2026
Kr1shna4garwal
Credited to Kr1shna4garwal
OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint) High
CVE-2025-69213 was published for devcode-it/openstamanager (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing Moderate
CVE-2026-1664 was published for agents (npm) Feb 3, 2026
Wagtail has improper permission handling on admin preview endpoints Moderate
CVE-2026-25517 was published for wagtail (pip) Feb 3, 2026
thxtech gasman
RealOrangeOne laymonage
Credited to thxtech, gasman, RealOrangeOne, and laymonage
Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-8x2r-v9x5-3qgh was published for pdfminer.six (pip) Feb 3, 2026 withdrawn
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
FUXA allows Remote Code Execution (RCE) via the project import functionality. High
CVE-2025-69983 was published for fuxa-server (npm) Feb 3, 2026
FUXA contains a hard-coded credential vulnerability High
CVE-2025-69971 was published for fuxa-server (npm) Feb 3, 2026
Boltz contains an insecure deserialization vulnerability in its molecule loading functionality High
CVE-2025-70560 was published for boltz (pip) Feb 3, 2026
FUXA contains an insecure default configuration vulnerability High
CVE-2025-69970 was published for fuxa-server (npm) Feb 3, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
Apache Syncope: Console XXE on Keymaster parameters Moderate
CVE-2026-23795 was published for org.apache.syncope.client.idrepo:syncope-client-idrepo-console (Maven) Feb 3, 2026
Apache Syncope: Reflected XSS on Enduser Login Moderate
CVE-2026-23794 was published for org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (Maven) Feb 3, 2026
FacturaScripts has SQL Injection in Autocomplete Actions High
CVE-2026-25514 was published for facturascripts/facturascripts (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
FacturaScripts has SQL Injection in API ORDER BY Clause High
CVE-2026-25513 was published for facturascripts/facturascripts (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database