Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,805
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,351
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,485 advisories

Loading
claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh High
CVE-2026-45136 was published for claude-code-cache-fix (npm) May 13, 2026
schuay Credited to schuay
Nautobot: GitRepository.current_head field should not be writable through REST API High
CVE-2026-44798 was published for nautobot (pip) May 13, 2026
holmie Credited to holmie
Nautobot: Webhook definitions could be used for server-side request forgery (SSRF) High
CVE-2026-44797 was published for nautobot (pip) May 13, 2026
whatisproblem Credited to whatisproblem
Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS) Moderate
CVE-2026-44796 was published for nautobot (pip) May 13, 2026
whatisproblem Credited to whatisproblem
Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference Moderate
CVE-2026-44794 was published for nautobot (pip) May 13, 2026
whatisproblem Credited to whatisproblem
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false Moderate
CVE-2026-44774 was published for github.com/traefik/traefik (Go) May 13, 2026
tamemghq Credited to tamemghq
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion Moderate
CVE-2026-44740 was published for github.com/go-git/go-billy/v5 (Go) May 13, 2026
faran66 Credited to faran66
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() High
CVE-2026-44738 was published for getgrav/grav (Composer) May 13, 2026
Revanth011 Credited to Revanth011
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name High
CVE-2026-44724 was published for systeminformation (npm) May 13, 2026
thesmartshadow Credited to thesmartshadow
OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover Moderate
CVE-2026-44720 was published for openlearnx (npm) May 13, 2026
krrazee Credited to krrazee and 0x5t4l1n 0x5t4l1n 0x5t4l1n
Astro: Server island encrypted parameters vulnerable to cross-component replay Low
CVE-2026-45028 was published for astro (npm) May 13, 2026
Popax21 Credited to Popax21
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload High
CVE-2026-44697 was published for github.com/klever-io/klever-go (Go) May 13, 2026
fbsobreira Credited to fbsobreira
Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect Moderate
CVE-2026-44681 was published for authlib (pip) May 13, 2026
y011d4 Credited to y011d4
Mapfish Print: Remote Code Injection (RCE) in Dynamic table Critical
CVE-2026-44672 was published for org.mapfish.print:print-lib (Maven) May 13, 2026
UltraJSON has a Memory Leak in ujson.dump() on Write Failure High
CVE-2026-44660 was published for ujson (pip) May 12, 2026
Zwique Credited to Zwique, bwoodsend, hugovk, and BeBecpp bwoodsend bwoodsend
hugovk hugovk BeBecpp BeBecpp
SillyTavern has a SSRF vulnerability in the CORS proxy middleware Moderate
CVE-2026-44652 was published for sillytavern (npm) May 12, 2026
FORIMOC Credited to FORIMOC
SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware Moderate
CVE-2026-44651 was published for sillytavern (npm) May 12, 2026
FORIMOC Credited to FORIMOC
SillyTavern has a Path Traversal issue Critical
CVE-2026-44650 was published for sillytavern (npm) May 12, 2026
ygboy777-alt Credited to ygboy777-alt, Greg-Kim, S4nso, and Mirr2 Greg-Kim Greg-Kim
S4nso S4nso Mirr2 Mirr2
SillyTavern has Authentication Bypass via SSO Header Injection Critical
CVE-2026-44649 was published for sillytavern (npm) May 12, 2026
kirakira-dev Credited to kirakira-dev
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover High
CVE-2026-44648 was published for sillytavern (npm) May 12, 2026
zzzm0919 Credited to zzzm0919
esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files High
CVE-2026-44594 was published for github.com/esm-dev/esm.sh (Go) May 12, 2026
donttrytofindme Credited to donttrytofindme
esm.sh: Legacy Route Path Traversal Can Lead to RCE Critical
CVE-2026-44593 was published for github.com/esm-dev/esm.sh (Go) May 12, 2026
splitline Credited to splitline
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input Critical
CVE-2026-42074 was published for openclaude (npm) May 12, 2026
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS Moderate
CVE-2026-42073 was published for @gitlawb/openclaude (npm) May 12, 2026
xancyber Credited to xancyber
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database