Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

540 advisories

Loading
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims Moderate
CVE-2026-45069 was published for symfony/security-http (Composer) May 27, 2026
A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate... High Unreviewed
CVE-2026-3012 was published May 27, 2026
@hulumi/drift: Orphan reconciler accepted externally supplied execute plans High
GHSA-2ffm-hxrq-qqmm was published for @hulumi/drift (npm) May 21, 2026
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss High
CVE-2026-46654 was published for p3-challenger (Rust) May 21, 2026
jonathanpwang Credited to jonathanpwang and zlangley zlangley zlangley
nimiq-primitives: BlockInclusionProof interlink issue when hops are empty Moderate
CVE-2026-46539 was published for nimiq-primitives (Rust) May 21, 2026
1seal Credited to 1seal
RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM Moderate
CVE-2026-45792 was published for rtk (Rust) May 20, 2026
afogel Credited to afogel
Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher... Moderate Unreviewed
CVE-2026-25602 was published May 20, 2026
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE Moderate
GHSA-wxw3-q3m9-c3jr was published for better-auth (npm) May 15, 2026
Jvr2022 Credited to Jvr2022 and alavesa alavesa alavesa
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark Critical
CVE-2026-45058 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events Moderate
GHSA-m5j2-r859-r5cv was published for openclaw (npm) May 11, 2026 withdrawn
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git High
CVE-2026-45022 was published for github.com/go-git/go-git/v5 (Go) May 11, 2026
adityasaky Credited to adityasaky, wlynch, patzielinski, bugbunny-research, and wayphinder wlynch wlynch
patzielinski patzielinski bugbunny-research bugbunny-research wayphinder wayphinder
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications Moderate
CVE-2026-44308 was published for io.awspring.cloud:spring-cloud-aws-sns (Maven) May 7, 2026
MatejNedic Credited to MatejNedic
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-248h-974q-xrc2 was published for com.getaxonflow:axonflow-sdk (Maven) May 6, 2026
axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mph8-9v29-pm42 was published for @axonflow/sdk (npm) May 6, 2026
axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mhc4-qq83-fmrr was published for github.com/getaxonflow/axonflow-sdk-go/v5 (Go) May 6, 2026
axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-7f4h-6264-89fr was published for axonflow (pip) May 6, 2026
awslabs/tough is Missing Delegated Metadata Validation High
CVE-2026-6967 was published for tough (Rust) May 5, 2026
1seal Credited to 1seal
nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token Moderate
CVE-2026-41164 was published for github.com/nuts-foundation/nuts-node (Go) May 5, 2026
stevenvegt Credited to stevenvegt and reinkrul reinkrul reinkrul
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
Dolibarr has Insufficient Verification of Data Authenticity Low
CVE-2026-7689 was published for dolibarr/dolibarr (Composer) May 3, 2026
A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function... Moderate Unreviewed
CVE-2026-7611 was published May 2, 2026
A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function... Moderate Unreviewed
CVE-2026-7606 was published May 2, 2026
Hickory DNS's Record Cache Accepts AUTHORITY-Section NS from Sibling Zone via Parent-Pool Zone-Context Elevation High
GHSA-83hf-93m4-rgwq was published for hickory-recursor (Rust) Apr 30, 2026
qifan-sailboat Credited to qifan-sailboat
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database