Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,022
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

671 advisories

Loading
pypdf: Manipulated XMP metadata streams can exhaust RAM Moderate
CVE-2026-48735 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature Moderate
CVE-2026-50560 was published for io.netty:netty-codec-http2 (Maven) Jun 15, 2026
ashleytolbert Credited to ashleytolbert
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length High
CVE-2026-50011 was published for io.netty:netty-codec-redis (Maven) Jun 15, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion High
CVE-2026-48748 was published for io.netty:netty-codec-http3 (Maven) Jun 15, 2026
violetagg Credited to violetagg
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS High
CVE-2026-54283 was published for starlette (pip) Jun 15, 2026
EthanKim88 Credited to EthanKim88, Z-Bra0, Moaaz-0x, moizxsec, aest3ra, and oxqnd Z-Bra0 Z-Bra0
Moaaz-0x Moaaz-0x moizxsec moizxsec aest3ra aest3ra oxqnd oxqnd
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-54285 was published for @opentelemetry/core (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot, pichlermarc, trentm, and arminru pichlermarc pichlermarc
trentm trentm arminru arminru
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
aiohttp: Incomplete websocket frame payloads bypass memory limits Moderate
CVE-2026-54274 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and Dreamsorcerer Dreamsorcerer Dreamsorcerer
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit Moderate
CVE-2026-54273 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines Moderate
CVE-2026-54277 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
ws: Memory exhaustion DoS from tiny fragments and data chunks High
CVE-2026-48779 was published for ws (npm) Jun 15, 2026
Nadav0077 Credited to Nadav0077
NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length Moderate
CVE-2026-28975 was published for github.com/apple/swift-nio-extras (Swift) Jun 12, 2026
nathanielmiller23 Credited to nathanielmiller23
SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS High
CVE-2026-28980 was published for github.com/apple/swift-nio (Swift) Jun 12, 2026
Joannis Credited to Joannis
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood Moderate
CVE-2026-48045 was published for zeroconf (pip) Jun 11, 2026
In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header Moderate
CVE-2026-41726 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
julianladisch Credited to julianladisch
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS) High
CVE-2026-8469 was published for phoenix_storybook (Erlang) Jun 9, 2026
PJUllrich Credited to PJUllrich, cblavier, and maennchen cblavier cblavier
maennchen maennchen
Netty: SCTP reassembly nests buffers without bound High
CVE-2026-46340 was published for io.netty:netty-transport-sctp (Maven) Jun 8, 2026
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes High
CVE-2026-45416 was published for io.netty:netty-handler (Maven) Jun 8, 2026
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
CVE-2026-52880 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
CVE-2026-52879 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
React Router vulnerable to Denial of Service via reflected user input in single-fetch High
CVE-2026-34077 was published for react-router (npm) Jun 4, 2026
Oceandust Credited to Oceandust
Allocation of Resources Without Limits or Throttling in Axios High
CVE-2026-44488 was published for axios (npm) Jun 4, 2026
asadeddin Credited to asadeddin
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion Moderate
CVE-2026-40898 was published for github.com/quic-go/quic-go (Go) Jun 3, 2026
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood Moderate
CVE-2026-47184 was published for zeroconf (pip) May 29, 2026
russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets High
CVE-2026-46702 was published for russh (Rust) May 29, 2026
mjc Credited to mjc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database