GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
10 advisories
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
High
CVE-2026-45363
was published
for
jwt
(RubyGems)
May 18, 2026
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
Moderate
CVE-2026-45620
was published
for
WWBN/AVideo
(Composer)
May 18, 2026
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
Moderate
CVE-2026-45619
was published
for
WWBN/AVideo
(Composer)
May 15, 2026
slack-go `SecretsVerifier` accepts empty signing secret without precondition
Moderate
GHSA-gxhx-2686-5h9g
was published
for
github.com/slack-go/slack
(Go)
May 14, 2026
sse-channel: SSE Injection via unsanitized event fields
Moderate
CVE-2026-44217
was published
for
sse-channel
(npm)
May 5, 2026
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
High
CVE-2026-43884
was published
for
wwbn/avideo
(Composer)
May 5, 2026
DDEV has ZipSlip path traversal in tar and zip archive extraction
Moderate
CVE-2026-32885
was published
for
github.com/ddev/ddev
(Go)
Apr 22, 2026
Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
Moderate
CVE-2026-33693
was published
for
activitypub_federation
(Rust)
Mar 25, 2026
CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification
High
CVE-2026-31899
was published
for
CairoSVG
(pip)
Mar 13, 2026
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
Moderate
GHSA-j425-whc4-4jgc
was published
for
openclaw
(npm)
Mar 9, 2026
ProTip!
Advisories are also available from the
GraphQL API