Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,437
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,695
Pub
13
RubyGems
1,031
Rust
1,222
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,656 advisories

Loading
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php High
CVE-2026-27732 was published for wwbn/avideo (Composer) Feb 25, 2026
arkmarta Credited to arkmarta
Rucio WebUI has Username Enumeration via Login Error Message Moderate
CVE-2026-25138 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability High
CVE-2026-25136 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 Credited to ByamB4 and mtrezza mtrezza mtrezza
c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property High
CVE-2026-27830 was published for com.mchange:c3p0 (Maven) Feb 25, 2026
dpp Credited to dpp
OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function Moderate
CVE-2026-26717 was published for richie (pip) Feb 25, 2026
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field Low
CVE-2026-24005 was published for github.com/openkruise/kruise (Go) Feb 25, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation Low
CVE-2026-22866 was published for @ensdomains/ens-contracts (npm) Feb 25, 2026
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution High
CVE-2026-27727 was published for com.mchange:mchange-commons-java (Maven) Feb 25, 2026
dpp Credited to dpp
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize Moderate
CVE-2026-27829 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA Credited to pHo9UBenaA
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() Critical
CVE-2026-27728 was published for @oneuptime/common (npm) Feb 25, 2026
dxlerYT Credited to dxlerYT
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder High
GHSA-2phg-qgmm-r638 was published for github.com/BishopFox/sliver (Go) Feb 25, 2026
Cycloctane Credited to Cycloctane
@enclave-vm/core is vulnerable to Sandbox Escape Critical
CVE-2026-27597 was published for @enclave-vm/core (npm) Feb 25, 2026
c0rydoras Credited to c0rydoras and frontegg-david frontegg-david frontegg-david
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks Critical
CVE-2026-27626 was published for github.com/OliveTin/OliveTin (Go) Feb 25, 2026
ByamB4 Credited to ByamB4
pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams Low
CVE-2026-27628 was published for pypdf (pip) Feb 25, 2026
rampageservices Credited to rampageservices
TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload Moderate
CVE-2026-27621 was published for typicms/core (Composer) Feb 25, 2026
lukasz-rybak Credited to lukasz-rybak
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard Moderate
CVE-2026-27612 was published for repostat (npm) Feb 25, 2026
denpiligrim Credited to denpiligrim
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links High
CVE-2026-27611 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Feb 25, 2026
ByteAfterlife Credited to ByteAfterlife
Fickling has safety check bypass via REDUCE+BUILD opcode sequence Moderate
GHSA-mhc9-48gj-9gp3 was published for fickling (pip) Feb 25, 2026
yash2998chhabria Credited to yash2998chhabria
ImageMagick: Integer Overflow in PSB (PSD v2) RLE decoding path causes heap Out of Bounds reads for 32-bit builds Low
CVE-2026-25984 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
andsopwn Credited to andsopwn
esm.sh is vulnerable to full-response SSRF High
CVE-2025-50180 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
bestlzk Credited to bestlzk
Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory High
CVE-2026-27598 was published for github.com/dagu-org/dagu (Go) Feb 24, 2026
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database