Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

105 advisories

Loading
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") Low
CVE-2026-45304 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
A vulnerability in the XML handling component of AOS-8 DHCP services could allow an... Moderate Unreviewed
CVE-2026-23822 was published May 12, 2026
Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks High
CVE-2026-31248 was published for docling (pip) May 11, 2026
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM Moderate
CVE-2026-40260 was published for pypdf (pip) Apr 10, 2026
kodareef5 Credited to kodareef5 and stefan6419846 stefan6419846 stefan6419846
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) High
CVE-2026-33036 was published for fast-xml-parser (npm) Mar 17, 2026
deprrous Credited to deprrous and yuezk yuezk yuezk
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) High
CVE-2026-29074 was published for svgo (npm) Mar 4, 2026
ByamB4 Credited to ByamB4 and isaacs isaacs isaacs
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) High
CVE-2026-26278 was published for fast-xml-parser (npm) Feb 17, 2026
ByamB4 Credited to ByamB4 and yuezk yuezk yuezk
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions... Moderate Unreviewed
CVE-2025-20369 was published Oct 1, 2025
REXML has DoS condition when parsing malformed XML file Low
CVE-2025-58767 was published for rexml (RubyGems) Sep 17, 2025
sofiaaberegg Credited to sofiaaberegg
XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5,... Moderate Unreviewed
CVE-2025-5466 was published Aug 12, 2025
XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304)... Critical Unreviewed
CVE-2019-19144 was published Aug 1, 2025
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser High
CVE-2025-3225 was published for llama-index-readers-papers (pip) Jul 7, 2025
An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data... Moderate Unreviewed
CVE-2025-0617 was published Jan 29, 2025
REXML denial of service vulnerability High
CVE-2024-43398 was published for rexml (RubyGems) Aug 22, 2024
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including... High Unreviewed
CVE-2024-28982 was published Jun 27, 2024
Toshiba printers use XML communication for the API endpoint provided by the printer. For the... Moderate Unreviewed
CVE-2024-27142 was published Jun 14, 2024
Toshiba printers use XML communication for the API endpoint provided by the printer. For the... Moderate Unreviewed
CVE-2024-27141 was published Jun 14, 2024
Zend-JSON vulnerable to XXE/XEE attacks Critical
GHSA-8x2v-pcg7-94f4 was published for zendframework/zend-json (Composer) Jun 7, 2024
Zendframework Denial of Service vector via XEE injection High
GHSA-2jx7-xg83-j2m7 was published for zendframework/zendframework1 (Composer) Jun 7, 2024
ebookmeta XML External Entity vulnerability High
CVE-2024-37388 was published for ebookmeta (pip) Jun 7, 2024
ebookmeta XML External Entity vulnerability High
CVE-2024-36827 was published for ebookmeta (pip) Jun 7, 2024
ZendFramework potential XML eXternal Entity injection vectors Critical
GHSA-mhpx-3rv8-wrjm was published for zendframework/zendframework1 (Composer) Jun 7, 2024
ZendFramework vulnerable to XXE/XEE attacks Critical
GHSA-f4fj-q6m4-cc52 was published for zendframework/zend-xmlrpc (Composer) Jun 7, 2024
Zendframework vulnerable to XXE/XEE attacks Critical
GHSA-qc7w-4567-84wv was published for zendframework/zendframework (Composer) Jun 7, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database