Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

409 advisories

Loading
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex High
CVE-2026-45617 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the... High Unreviewed
CVE-2026-9496 was published May 26, 2026
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix Moderate
CVE-2026-45409 was published for idna (pip) May 19, 2026
StanFromIreland Credited to StanFromIreland and kjd kjd kjd
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-45367 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) May 18, 2026
offset Credited to offset
multiparty vulnerable to ReDoS via filename parsing High
CVE-2026-8159 was published for multiparty (npm) May 18, 2026
aszx87410 Credited to aszx87410, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
Svelte: ReDoS in `<svelte:element>` Tag Validation Moderate
CVE-2026-42567 was published for svelte (npm) May 14, 2026
Meltedd Credited to Meltedd, dummdidumm, and elliott-with-the-longest-name-on-github dummdidumm dummdidumm
elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS) Moderate
CVE-2026-44796 was published for nautobot (pip) May 13, 2026
whatisproblem Credited to whatisproblem
ShellHub has crash-DoS via field injection in filter and sort-by parameters Moderate
CVE-2026-44425 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
Nokogiri CSS selector tokenizer has regular expression backtracking High
GHSA-c4rq-3m3g-8wgx was published for nokogiri (RubyGems) May 6, 2026
colby-swandale Credited to colby-swandale and flavorjones flavorjones flavorjones
Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input High
CVE-2026-33079 was published for mistune (pip) May 6, 2026
kq5y Credited to kq5y
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via... High Unreviewed
CVE-2026-41040 was published Apr 23, 2026
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths High
CVE-2026-39320 was published for signalk-server (npm) Apr 21, 2026
VashuVats Credited to VashuVats
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification Moderate
CVE-2026-35041 was published for fast-jwt (npm) Apr 9, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
Addressable has a Regular Expression Denial of Service in Addressable templates High
CVE-2026-35611 was published for addressable (RubyGems) Apr 8, 2026
jamfish Credited to jamfish and sporkmonger sporkmonger sporkmonger
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature High
CVE-2026-35458 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
beryxz Credited to beryxz and drw0if drw0if drw0if
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing High
CVE-2026-35213 was published for @hapi/content (npm) Apr 4, 2026
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() Moderate
CVE-2026-34939 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards Moderate
CVE-2026-4923 was published for path-to-regexp (npm) Mar 27, 2026
blakeembrey Credited to blakeembrey and UlisesGascon UlisesGascon UlisesGascon
path-to-regexp vulnerable to Denial of Service via sequential optional groups High
CVE-2026-4926 was published for path-to-regexp (npm) Mar 27, 2026
uug4na Credited to uug4na, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters High
CVE-2026-4867 was published for path-to-regexp (npm) Mar 27, 2026
EthanKim88 Credited to EthanKim88, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database