Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,481
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,741
Pub
13
RubyGems
1,032
Rust
1,226
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,815 advisories

Loading
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer Moderate
CVE-2026-40179 was published for github.com/prometheus/prometheus (Go) Apr 13, 2026
gladiator9797 Credited to gladiator9797
Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix High
CVE-2026-35582 was published for gov.nsa.emissary:emissary (Maven) Apr 13, 2026
blueandhack Credited to blueandhack
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine High
CVE-2026-34984 was published for github.com/external-secrets/external-secrets (Go) Apr 13, 2026
kodareef5 Credited to kodareef5
nimiq-consensus panics via RequestMacroChain micro-block locator Moderate
CVE-2026-34069 was published for nimiq-consensus (Rust) Apr 13, 2026
jsdanielh Credited to jsdanielh and 1seal 1seal 1seal
simple-git Affected by Command Execution via Option-Parsing Bypass High
CVE-2026-28291 was published for simple-git (npm) Apr 13, 2026
JuHwiSang Credited to JuHwiSang
Decidim has a cross-site scripting (XSS) in user name Critical
CVE-2026-23891 was published for decidim-core (RubyGems) Apr 13, 2026
cyberschnaps Credited to cyberschnaps
Daptin has Unauthenticated Path Traversal and Zip Slip Critical
GHSA-9cp7-j3f8-p5jx was published for github.com/daptin/daptin (Go) Apr 10, 2026
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes High
GHSA-jvff-x2qm-6286 was published for mathjs (npm) Apr 10, 2026
CykuTW Credited to CykuTW
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration Moderate
GHSA-55v6-g8pm-pw4c was published for rembg (pip) Apr 10, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
GHSA-68qg-g8mg-6pr7 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives Moderate
GHSA-93vf-569f-22cq was published for rhukster/dom-sanitizer (Composer) Apr 10, 2026
morimori-dev Credited to morimori-dev
DNN: Same HostGUID for all new installs Low
GHSA-2rhw-gw3f-477j was published for DotNetNuke.Core (NuGet) Apr 10, 2026
meetmandeep Credited to meetmandeep, donker, and valadas donker donker
valadas valadas
DNN: Force Friend Request Acceptance Moderate
GHSA-fpj4-9qhx-5m6m was published for DotNetNuke.Core (NuGet) Apr 10, 2026
JesseClarkTT Credited to JesseClarkTT, bdukes, and valadas bdukes bdukes
valadas valadas
next-intl has an open redirect vulnerability Moderate
GHSA-8f24-v5vv-gm5j was published for next-intl (npm) Apr 10, 2026
joniumGit Credited to joniumGit
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Moderate
CVE-2026-5774 was published for github.com/juju/juju (Go) Apr 10, 2026
fg0x0 Credited to fg0x0, wallyworld, and tlm wallyworld wallyworld
tlm tlm
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
gramps-webapi: Zip Slip Path Traversal in Media Archive Import Critical
CVE-2026-40258 was published for gramps-webapi (pip) Apr 10, 2026
srisowmya2000 Credited to srisowmya2000
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport High
GHSA-75hx-xj24-mqrw was published for n8n-mcp (npm) Apr 10, 2026
yotampe-pluto Credited to yotampe-pluto
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM Moderate
CVE-2026-40260 was published for pypdf (pip) Apr 10, 2026
kodareef5 Credited to kodareef5 and stefan6419846 stefan6419846 stefan6419846
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload High
GHSA-ffq7-898w-9jc4 was published for DotNetNuke.Core (NuGet) Apr 10, 2026
bdukes Credited to bdukes and valadas valadas valadas
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Low
CVE-2026-40109 was published for github.com/fluxcd/notification-controller (Go) Apr 10, 2026
saroj345 Credited to saroj345
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database