Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,022
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

195 advisories

Loading
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length` Moderate
CVE-2026-54288 was published for hono (npm) Jun 16, 2026
Rootingg Credited to Rootingg
@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning High
CVE-2026-54266 was published for @angular/common (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, JeanMeche, and josephperrott JeanMeche JeanMeche
josephperrott josephperrott
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning Moderate
CVE-2026-48096 was published for github.com/openfga/openfga (Go) Jun 11, 2026
j4xT Credited to j4xT
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload Critical
CVE-2026-48063 was published for @whiskeysockets/baileys (npm) Jun 10, 2026
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors Moderate
CVE-2026-47155 was published for vllm (pip) Jun 10, 2026
addcontent Credited to addcontent, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
Netty has Insufficient Bailiwick Validation for NS Records High
CVE-2026-47691 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records High
CVE-2026-45674 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint High
CVE-2026-47696 was published for WWBN/AVideo (Composer) Jun 4, 2026
proochicken Credited to proochicken
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
matrix-sdk-ui: Incomplete edit validation Moderate
CVE-2026-45057 was published for matrix-sdk-ui (Rust) Jun 4, 2026
stigmem-node's federation peer registration lacked explicit out-of-band approval Critical
GHSA-9vp8-3hmv-8fgh was published for stigmem-node (pip) May 29, 2026
stigmem-node's federation peer token timestamp validation may reject valid peer tokens High
GHSA-xh5j-xjfq-qvvx was published for stigmem-node (pip) May 29, 2026
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims Moderate
CVE-2026-45069 was published for symfony/security-http (Composer) May 27, 2026
@hulumi/drift: Orphan reconciler accepted externally supplied execute plans High
GHSA-2ffm-hxrq-qqmm was published for @hulumi/drift (npm) May 21, 2026
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss High
CVE-2026-46654 was published for p3-challenger (Rust) May 21, 2026
jonathanpwang Credited to jonathanpwang and zlangley zlangley zlangley
nimiq-primitives: BlockInclusionProof interlink issue when hops are empty Moderate
CVE-2026-46539 was published for nimiq-primitives (Rust) May 21, 2026
1seal Credited to 1seal
RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM Moderate
CVE-2026-45792 was published for rtk (Rust) May 20, 2026
afogel Credited to afogel
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE Moderate
GHSA-wxw3-q3m9-c3jr was published for better-auth (npm) May 15, 2026
Jvr2022 Credited to Jvr2022 and alavesa alavesa alavesa
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark Critical
CVE-2026-45058 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events Moderate
GHSA-m5j2-r859-r5cv was published for openclaw (npm) May 11, 2026 withdrawn
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git High
CVE-2026-45022 was published for github.com/go-git/go-git/v5 (Go) May 11, 2026
adityasaky Credited to adityasaky, wlynch, patzielinski, bugbunny-research, and wayphinder wlynch wlynch
patzielinski patzielinski bugbunny-research bugbunny-research wayphinder wayphinder
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications Moderate
CVE-2026-44308 was published for io.awspring.cloud:spring-cloud-aws-sns (Maven) May 7, 2026
MatejNedic Credited to MatejNedic
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database