Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

49 advisories

Loading
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that... Moderate Unreviewed
CVE-2026-41526 was published Apr 28, 2026
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for... Low Unreviewed
CVE-2026-6019 was published Apr 22, 2026
Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode Moderate
CVE-2026-25996 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
suidpit Credited to suidpit, ndaprela, eiffel-fl, and flyth ndaprela ndaprela
eiffel-fl eiffel-fl flyth flyth
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output,... Moderate Unreviewed
CVE-2026-40505 was published Apr 16, 2026
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an... Critical Unreviewed
CVE-2026-26149 was published Apr 14, 2026
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection Moderate
CVE-2026-35651 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin, KeenSecurityLab, qclawer, anlakii, and simon-reisinger-dynatrace KeenSecurityLab KeenSecurityLab
qclawer qclawer anlakii anlakii simon-reisinger-dynatrace simon-reisinger-dynatrace
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters High
GHSA-27qh-8cxx-2cr5 was published for aws/aws-sdk-php (Composer) Mar 27, 2026
Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences High
CVE-2026-3108 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 26, 2026
An improper neutralization of escape, meta, or control sequences vulnerability has been reported... Moderate Unreviewed
CVE-2025-62845 was published Mar 20, 2026
Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. High Unreviewed
CVE-2025-15311 was published Feb 5, 2026
Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized... High Unreviewed
CVE-2026-21521 was published Jan 23, 2026
Mailpit has an SMTP Header Injection via Regex Bypass Moderate
CVE-2026-23829 was published for github.com/axllent/mailpit (Go) Jan 20, 2026
omarkurt Credited to omarkurt
badkeys vulnerable to ASCII control character injection on console via malformed input Low
CVE-2026-21439 was published for badkeys (pip) Jan 5, 2026
hannob Credited to hannob
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server... Moderate Unreviewed
CVE-2025-65082 was published Dec 5, 2025
Soft Serve does not sanitize ANSI escape sequences in user input Moderate
CVE-2025-64494 was published for github.com/charmbracelet/soft-serve (Go) Nov 6, 2025
Tomer-PL Credited to Tomer-PL and caarlos0 caarlos0 caarlos0
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences Low
CVE-2025-55754 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 27, 2025
aruneko Credited to aruneko
Tracing logging user input may result in poisoning logs with ANSI escape sequences Low
CVE-2025-58160 was published for tracing-subscriber (Rust) Aug 29, 2025
zefr0x Credited to zefr0x
Active Record logging vulnerable to ANSI escape injection Moderate
CVE-2025-55193 was published for activerecord (RubyGems) Aug 13, 2025
th4s1s Credited to th4s1s
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier... High Unreviewed
CVE-2024-47252 was published Jul 10, 2025
Gardener allows metadata injection for a project secret which can lead to privilege escalation Critical
CVE-2025-47284 was published for github.com/gardener/gardener (Go) May 19, 2025
rfranzke Credited to rfranzke, donistz, timuthy, and JordanJordanov donistz donistz
timuthy timuthy JordanJordanov JordanJordanov
Apache Tomcat Rewrite rule bypass Low
CVE-2025-31651 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 28, 2025
amita-seal Credited to amita-seal and taxone taxone taxone
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv... Low Unreviewed
CVE-2024-58251 was published Apr 23, 2025
gurk (aka gurk-rs) mishandles ANSI escape sequences Moderate
CVE-2025-30089 was published for gurk (Rust) Mar 17, 2025
Malayke Credited to Malayke
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute... High Unreviewed
CVE-2025-0975 was published Feb 28, 2025
MongoDB Shell may be susceptible to control character injection via pasting Moderate
CVE-2025-1692 was published for mongosh (npm) Feb 27, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database