Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,475
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,734
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,768 advisories

Loading
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint High
CVE-2026-27194 was published for dtale (pip) Feb 19, 2026
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
eBay API MCP Server Affected by Environment Variable Injection High
CVE-2026-27203 was published for ebay-mcp (npm) Feb 19, 2026
nedlir Credited to nedlir
PyO3 has type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature High
GHSA-47qc-857f-7w7f was published for pyo3 (Rust) Feb 19, 2026
Hono added timing comparison hardening in basicAuth and bearerAuth Low
GHSA-gq3j-xvxp-8hrf was published for hono (npm) Feb 19, 2026
Exagone313 Credited to Exagone313
OpenClaw replaced a deprecated sandbox hash algorithm High
CVE-2026-28479 was published for openclaw (npm) Feb 19, 2026
kexinoh Credited to kexinoh
OpenClaw has a Web Fetch DoS via unbounded response parsing Moderate
CVE-2026-28394 was published for openclaw (npm) Feb 19, 2026
xuemian168 Credited to xuemian168 and ShangzhiXu ShangzhiXu ShangzhiXu
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster Moderate
CVE-2026-27120 was published for leaf-kit (Swift) Feb 19, 2026
bawolff Credited to bawolff, ptoffy, 0xTim, and gwynne ptoffy ptoffy
0xTim 0xTim gwynne gwynne
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled Moderate
CVE-2026-26963 was published for github.com/cilium/cilium (Go) Feb 19, 2026
julianwiedmann Credited to julianwiedmann and smagnani96 smagnani96 smagnani96
Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution Critical
CVE-2026-26030 was published for semantic-kernel (pip) Feb 19, 2026
amiteliahu Credited to amiteliahu, doredry, and urioren doredry doredry
urioren urioren
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property) High
CVE-2026-25940 was published for jspdf (npm) Feb 19, 2026
Macabely Credited to Macabely
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method High
CVE-2026-25755 was published for jspdf (npm) Feb 19, 2026
ZeroXJacks Credited to ZeroXJacks
carbon-apimgt does not properly restrict uploaded files Critical
CVE-2025-13590 was published for org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl (Maven) Feb 19, 2026
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol Low
CVE-2026-2733 was published for org.keycloak:keycloak-services (Maven) Feb 19, 2026
Kata Container to Guest micro VM privilege escalation Moderate
CVE-2026-24834 was published for github.com/kata-containers/kata-containers/src/runtime (Go) Feb 19, 2026
kostya-oai Credited to kostya-oai, sprt, fidencio, and stevenhorsman sprt sprt
fidencio fidencio stevenhorsman stevenhorsman
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions High
CVE-2026-25535 was published for jspdf (npm) Feb 19, 2026
ZeroXJacks Credited to ZeroXJacks
Svelte SSR does not validate dynamic element tag names in `<svelte:element>` Moderate
CVE-2026-27122 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte affected by cross-site scripting via spread attributes in Svelte SSR Moderate
CVE-2026-27121 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte affected by XSS in SSR `<option>` element Moderate
CVE-2026-27119 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and enismaholli enismaholli enismaholli
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Unsoundness in opt-in ARMv8 assembly backend for `keccak` Low
GHSA-3288-p39f-rqpv was published for keccak (Rust) Feb 19, 2026
Unauthorized npm publish of cline@2.3.0 with modified postinstall script Low
GHSA-9ppg-jx86-fqw7 was published for cline (npm) Feb 19, 2026
AdnaneKhan Credited to AdnaneKhan
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database