Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

26,016 advisories

Loading
CediPay Affected by Improper Input Validation in Payment Processing High
CVE-2026-26063 was published for cedipay-core (npm) Feb 12, 2026
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie ljharb
Credited to SharokhAtaie and ljharb
XWiki vulnerable to click-jacking through CSS injection in comments Moderate
CVE-2026-26000 was published for org.xwiki.platform:xwiki-platform-web (Maven) Feb 12, 2026
keechy1231
Credited to keechy1231
Traefik: TCP readTimeout bypass via STARTTLS on Postgres High
CVE-2026-25949 was published for github.com/traefik/traefik/v3 (Go) Feb 12, 2026
manizada
Credited to manizada
AbdrrahimDahmani dunglas
Credited to AbdrrahimDahmani and dunglas
FrankenPHP leaks session data between requests in worker mode High
CVE-2026-24894 was published for github.com/dunglas/frankenphp (Go) Feb 12, 2026
xavierleune dunglas
Credited to xavierleune and dunglas
webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map Moderate
CVE-2026-21438 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
webtransport-go: CloseWithError can block indefinitely Moderate
CVE-2026-21435 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
webtransport-go: Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule Moderate
CVE-2026-21434 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
DiskCache has unsafe pickle deserialization Moderate
CVE-2025-69872 was published for diskcache (pip) Feb 11, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
GHSA-7ppg-37fh-vcr6 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
Vikunja Vulnerable to XSS Via Task Preview High
CVE-2026-25935 was published for code.vikunja.io/api (Go) Feb 11, 2026
supercoolspy
Credited to supercoolspy
nanotar is vulnerable to path traversal in parseTar() and parseTarGzip() Moderate
CVE-2025-69874 was published for nanotar (npm) Feb 11, 2026
Statamic CMS vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-25759 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Statamic CMS's missing authorization allows access to assets Moderate
CVE-2026-25633 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Phraseanet vulnerable to stored cross-site scripting through crafted file names Moderate
CVE-2018-25157 was published for phraseanet/phraseanet (Composer) Feb 11, 2026
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions Moderate
CVE-2019-25317 was published for kimai/kimai (Composer) Feb 11, 2026
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation Moderate
CVE-2026-26019 was published for @langchain/community (npm) Feb 11, 2026
kpanuragh hntrl
Credited to kpanuragh and hntrl
Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key Moderate
CVE-2026-26014 was published for github.com/pion/dtls (Go) Feb 11, 2026
theodorsm JoTurk
Credited to theodorsm and JoTurk
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages Low
CVE-2026-26013 was published for langchain-core (pip) Feb 11, 2026
Finder16
Credited to Finder16
Leaky JWTs in OpenMetadata exposing highly-privileged bot users High
CVE-2026-26010 was published for org.open-metadata:openmetadata-sdk (Maven) Feb 11, 2026
amfor
Credited to amfor
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool radarhere
hugovk yardenporat353
Credited to wiredfool, radarhere, hugovk, and yardenporat353
Microsoft Security Advisory CVE-2026-21218 | .NET Security Feature Bypass Vulnerability High
CVE-2026-21218 was published for System.Security.Cryptography.Cose (NuGet) Feb 10, 2026
MattKilgore bribrothers
yusuke-koyoshi
Credited to MattKilgore, bribrothers, and yusuke-koyoshi
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam keenanwgn
A7um
Credited to XlabAITeam, keenanwgn, and A7um
ProTip! Advisories are also available from the GraphQL API