Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

191 advisories

Loading
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests High
CVE-2026-44982 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
mmarting Credited to mmarting
Twig: Sandbox property and method bypass via object-destructuring assignment High
CVE-2026-46639 was published for twig/twig (Composer) May 21, 2026
@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails High
GHSA-59f3-7227-wmh4 was published for @hulumi/policies (npm) May 21, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151. High Unreviewed
CVE-2026-8969 was published May 19, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and... High Unreviewed
CVE-2026-8962 was published May 19, 2026
Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox... High Unreviewed
CVE-2026-8945 was published May 19, 2026
Inappropriate implementation in Media in Google Chrome on iOS prior to 148.0.7778.168 allowed a... High Unreviewed
CVE-2026-8585 was published May 14, 2026
Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168... High Unreviewed
CVE-2026-8571 was published May 14, 2026
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor... High Unreviewed
CVE-2026-45227 was published May 13, 2026
A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and... High Unreviewed
CVE-2026-43660 was published May 11, 2026
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a... High Unreviewed
CVE-2026-8018 was published May 6, 2026
Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed... High Unreviewed
CVE-2026-7978 was published May 6, 2026
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a... High Unreviewed
CVE-2026-7963 was published May 6, 2026
Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96... High Unreviewed
CVE-2026-7913 was published May 6, 2026
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment High
CVE-2026-41900 was published for openlearnx (npm) Apr 23, 2026
krrazee Credited to krrazee, 0x5t4l1n, and harriiinnii 0x5t4l1n 0x5t4l1n
harriiinnii harriiinnii
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers High
CVE-2026-22753 was published for org.springframework.security:spring-security-config (Maven) Apr 22, 2026
Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a... High Unreviewed
CVE-2026-32225 was published Apr 14, 2026
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure High
CVE-2026-40158 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr High
CVE-2026-34444 was published for lupa (pip) Apr 7, 2026
redyank Credited to redyank
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out High
CVE-2026-27893 was published for vllm (pip) Mar 27, 2026
Wernerina Credited to Wernerina and russellb russellb russellb
OpenClaw has Inconsistent Host Exec Environment Override Sanitization High
CVE-2026-35650 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS... High Unreviewed
CVE-2026-20701 was published Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database