Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

31,043 advisories

Loading
compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal High
CVE-2026-45725 was published for compliance-trestle (pip) May 27, 2026
AnistoMejin Credited to AnistoMejin and yantongggg yantongggg yantongggg
FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations High
CVE-2026-47717 was published for fuxa-server (npm) May 27, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani
Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs High
CVE-2026-47243 was published for github.com/kata-containers/kata-containers (Go) May 27, 2026
JulesDT Credited to JulesDT, sprt, fidencio, and stevenhorsman sprt sprt
fidencio fidencio stevenhorsman stevenhorsman
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection Critical
CVE-2026-46621 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override Critical
CVE-2026-46562 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
2BCEB1 Credited to 2BCEB1
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username Moderate
CVE-2026-45309 was published for asyncssh (pip) May 27, 2026
0xHunSec Credited to 0xHunSec
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") Low
CVE-2026-45304 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint High
CVE-2026-45332 was published for automad/automad (Composer) May 27, 2026
lorenzocamilli Credited to lorenzocamilli
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] Moderate
CVE-2026-45075 was published for symfony/http-kernel (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay Moderate
CVE-2026-45074 was published for symfony/security-http (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix Moderate
CVE-2026-45073 was published for symfony/cache (Composer) May 27, 2026
FORIMOC Credited to FORIMOC and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering Low
CVE-2026-45072 was published for symfony/symfony (Composer) May 27, 2026
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true Low
CVE-2026-45071 was published for symfony/dom-crawler (Composer) May 27, 2026
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names Moderate
CVE-2026-45070 was published for symfony/mime (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims Moderate
CVE-2026-45069 was published for symfony/security-http (Composer) May 27, 2026
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address Moderate
CVE-2026-45068 was published for symfony/mailer (Composer) May 27, 2026
Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address High
CVE-2026-45067 was published for symfony/mime (Composer) May 27, 2026
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing Moderate
CVE-2026-45064 was published for symfony/html-sanitizer (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and unknownhad unknownhad unknownhad
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests High
CVE-2026-44982 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
mmarting Credited to mmarting
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database