Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,827 advisories

Loading
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
vLLM Vulnerable to Remote DoS via Special-Token Placeholders Moderate
CVE-2026-44222 was published for vllm (pip) May 5, 2026
wumingzhilian Credited to wumingzhilian
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization High
CVE-2026-43885 was published for wwbn/avideo (Composer) May 5, 2026
tronglinh23 Credited to tronglinh23
ciguard: Web UI is missing HTTP defence-in-depth headers Low
GHSA-7ww3-xvf5-cxwm was published for ciguard (pip) May 5, 2026
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
ciguard: Container image runs as root (no USER directive) Low
CVE-2026-44218 was published for ciguard (pip) May 5, 2026
ciguard: SCA HTTP client reads response body without size cap Moderate
CVE-2026-44219 was published for ciguard (pip) May 5, 2026
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine High
GHSA-mggx-p7jf-jgw4 was published for org.jdbi:jdbi3-freemarker (Maven) May 5, 2026
wodzen Credited to wodzen
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
authd: Primary group ID is incorrectly set to value of UID High
CVE-2026-6970 was published for github.com/canonical/authd (Go) May 5, 2026
nooreldeenmansour Credited to nooreldeenmansour, samikhan-de, and korhlibri samikhan-de samikhan-de
korhlibri korhlibri
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction Moderate
CVE-2026-43881 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
OpAMP client reads unbounded HTTP response bodies Moderate
CVE-2026-42348 was published for OpenTelemetry.OpAmp.Client (NuGet) May 5, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address Moderate
CVE-2026-43880 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display Moderate
GHSA-fw8g-cg8f-9j28 was published for github.com/prometheus/prometheus (Go) May 5, 2026
iiihaiii Credited to iiihaiii and ngocnn97 ngocnn97 ngocnn97
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens Moderate
GHSA-3h96-34p3-xm76 was published for graphql (RubyGems) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and rmosolgo rmosolgo rmosolgo
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Kubewarden vulnerable to RBAC Reconnaissance via unchecked can_i host capability call Moderate
CVE-2026-42541 was published for github.com/kubewarden/kubewarden-controller (Go) May 5, 2026
thevilledev Credited to thevilledev
Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection High
CVE-2026-42334 was published for mongoose (npm) May 5, 2026
katzj Credited to katzj
rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs High
CVE-2026-42327 was published for openssl (Rust) May 5, 2026
Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion High
CVE-2026-32688 was published for plug_cowboy (Erlang) May 5, 2026
PJUllrich Credited to PJUllrich
Grav is Vulnerable to Stored XSS via Tag Injection High
CVE-2026-42611 was published for getgrav/grav (Composer) May 5, 2026
KhanMarshaI Credited to KhanMarshaI
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database