Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,938 advisories

Loading
SageMaker Python SDK has Exposed HMAC High
CVE-2026-1777 was published for sagemaker (pip) Feb 2, 2026
SageMaker Python SDK has Insecure TLS Configuration High
CVE-2026-1778 was published for sagemaker (pip) Feb 2, 2026
Magento's X-Original-Url header can expose admin url Moderate
CVE-2026-25523 was published for openmage/magento-lts (Composer) Feb 2, 2026
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25522 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation Moderate
CVE-2026-25490 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation Moderate
CVE-2026-25489 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25488 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation Moderate
CVE-2026-25487 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation Moderate
CVE-2026-25486 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25485 was published for craftcms/composer (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Product Type Name Moderate
CVE-2026-25484 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration Moderate
CVE-2026-25483 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget) Moderate
CVE-2026-25482 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
SignalK Server has Path Traversal leading to information disclosure Moderate
CVE-2026-25228 was published for signalk-server (npm) Feb 2, 2026
cchheang
Credited to cchheang
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream Low
CVE-2026-25224 was published for fastify (npm) Feb 2, 2026
mcollina onlybugs05-hackerone
Credited to mcollina and onlybugs05-hackerone
Fastify's Content-Type header tab character allows body validation bypass High
CVE-2026-25223 was published for fastify (npm) Feb 2, 2026
jsumners
Credited to jsumners
locutus is vulnerable to Prototype Pollution Critical
CVE-2026-25521 was published for locutus (npm) Feb 2, 2026
kevgeoleo reallyTG
vdata1 cristianstaicu
Credited to kevgeoleo, reallyTG, vdata1, and cristianstaicu
cert-manager-controller DoS via Specially Crafted DNS Response Moderate
CVE-2026-25518 was published for github.com/cert-manager/cert-manager (Go) Feb 2, 2026
1seal SgtCoDFish
Credited to 1seal and SgtCoDFish
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons
Credited to Far-Horizons
CI4MS Vulnerable to User Email Enumeration via Password Reset Flow Moderate
CVE-2026-25509 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons
Credited to Far-Horizons
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication Critical
CVE-2026-25505 was published for bambuddy (pip) Feb 2, 2026
Speenah
Credited to Speenah
WireGuard Portal v2 has Open Redirect Vulnerability in OAuth Authentication Flow Moderate
GHSA-grh9-37g7-53mj was published for github.com/h44z/wg-portal (Go) Feb 2, 2026
coolsarne floerer
Credited to coolsarne and floerer
picklescan vulnerable to arbitrary file create using logging.FileHandler Moderate
GHSA-m7j5-r2p5-c39r was published for picklescan (pip) Feb 2, 2026
ez-lbz
Credited to ez-lbz
picklescan missing detection by simple obfuscation of a `builtins.eval` call High
GHSA-9m3x-qqw2-h32h was published for picklescan (pip) Feb 2, 2026
ogrisel
Credited to ogrisel
Langroid has WAF Bypass Leading to RCE in TableChatAgent Critical
CVE-2026-25481 was published for langroid (pip) Feb 2, 2026
Ka7arotto
Credited to Ka7arotto
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database