Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,938 advisories

Loading
ml-dsa's UseHint function has off by two error when r0 equals zero Moderate
GHSA-h37v-hp6w-2pp8 was published for ml-dsa (Rust) Feb 2, 2026
XoifaiI
Credited to XoifaiI
terraform-provider-proxmox has insecure sudo recommendation in the documentation High
CVE-2026-25499 was published for github.com/bpg/terraform-provider-proxmox (Go) Feb 2, 2026
lucasmaurice
Credited to lucasmaurice
@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks High
CVE-2026-25153 was published for @backstage/plugin-techdocs-node (npm) Feb 2, 2026
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE Critical
CVE-2026-25142 was published for @nyariv/sandboxjs (npm) Feb 2, 2026
c0rydoras
Credited to c0rydoras
OpenList has Insecure TLS Default Configuration High
CVE-2026-25060 was published for github.com/OpenListTeam/OpenList/v4 (Go) Feb 2, 2026
XlabAITeam dezhishen
KirCute jyxjjj A7um pkuGenuine keenanwgn
Credited to XlabAITeam, dezhishen, KirCute, jyxjjj, A7um, pkuGenuine, and keenanwgn
OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking High
CVE-2026-24051 was published for go.opentelemetry.io/otel/sdk/resource (Go) Feb 2, 2026
MorielHarush pellared
arminru
Credited to MorielHarush, pellared, and arminru
OpenList vulnerable to Path Traversal in file copy and remove handlers High
CVE-2026-25059 was published for github.com/OpenListTeam/OpenList/v4 (Go) Feb 2, 2026
XlabAITeam KirCute
dezhishen Suyunmeng jyxjjj A7um pkuGenuine keenanwgn
Credited to XlabAITeam, KirCute, dezhishen, Suyunmeng, jyxjjj, A7um, pkuGenuine, and keenanwgn
Crafter CMS has Improper Control of Dynamically-Managed Code Resources Moderate
CVE-2026-1770 was published for org.craftercms:craftercms (Maven) Feb 2, 2026
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution High
CVE-2026-24737 was published for jspdf (npm) Feb 2, 2026
ahmetartuc
Credited to ahmetartuc
jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder High
CVE-2026-24133 was published for jspdf (npm) Feb 2, 2026
KarimTantawey
Credited to KarimTantawey
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation) Moderate
CVE-2026-24043 was published for jspdf (npm) Feb 2, 2026
KarimTantawey
Credited to KarimTantawey
jsPDF has Shared State Race Condition in addJS Plugin Moderate
CVE-2026-24040 was published for jspdf (npm) Feb 2, 2026
KarimTantawey
Credited to KarimTantawey
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View High
CVE-2026-23997 was published for facturascripts/facturascripts (Composer) Feb 2, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Signal K set-system-time plugin vulnerable to RCE - Command Injection Critical
CVE-2026-23515 was published for @signalk/set-system-time (npm) Feb 2, 2026
cchheang
Credited to cchheang
FacturaScripts is Vulnerable to Reflected XSS Moderate
CVE-2026-23476 was published for facturascripts/facturascripts (Composer) Feb 2, 2026
h4cd0c
Credited to h4cd0c
vLLM has RCE In Video Processing Critical
CVE-2026-22778 was published for vllm (pip) Feb 2, 2026
dan-sec-ops DarkLight1337
russellb
Credited to dan-sec-ops, DarkLight1337, and russellb
Khoj has an IDOR in Notion OAuth Flow that Enables Index Poisoning Moderate
CVE-2025-69207 was published for khoj (pip) Feb 2, 2026
Cillian-Collins
Credited to Cillian-Collins
pip Path Traversal vulnerability Low
CVE-2026-1703 was published for pip (pip) Feb 2, 2026
@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator Moderate
CVE-2026-25152 was published for @backstage/plugin-techdocs-node (npm) Feb 2, 2026
H2O has an External Control of File Name or Path vulnerability Critical
CVE-2024-5986 was published for ai.h2o:h2o-core (Maven) Feb 2, 2026
mlflow Creates of Temporary File in Directory with Insecure Permissions High
CVE-2025-10279 was published for mlflow (pip) Feb 2, 2026
llama-index-core vulnerable to Uncontrolled Resource Consumption Moderate
CVE-2025-6208 was published for llama-index-core (pip) Feb 2, 2026
Hugging Face Text Generation Inference vulnerable to Uncontrolled Resource Consumption High
CVE-2026-0599 was published for text-generation (pip) Feb 2, 2026
Lollms has an Improper Access Control vulnerability High
CVE-2026-1117 was published for lollms (pip) Feb 2, 2026
Keycloak Server-Side Request Forgery (SSRF) vulnerability Low
CVE-2026-1518 was published for org.keycloak:keycloak-parent (Maven) Feb 2, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database