Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

207 advisories

Loading
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Zebra's Transparent SIGHASH_SINGLE Handling Diverges from zcashd for Corresponding Outputs Critical
GHSA-cwfq-rfcr-8hmp was published for zebrad (Rust) May 7, 2026
sangsoo-osec Credited to sangsoo-osec, defuse, mpguerra, and upbqdn defuse defuse
mpguerra mpguerra upbqdn upbqdn
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files Critical
CVE-2026-45374 was published for deepseek-tui (Rust) May 14, 2026
47Cid Credited to 47Cid
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval Critical
CVE-2026-45311 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer Critical
CVE-2026-44497 was published for zebra-script (Rust) May 7, 2026
sangsoo-osec Credited to sangsoo-osec
Zebra's Block Validator Undercounts Coinbase and P2SH Sigops Critical
CVE-2026-44498 was published for zebrad (Rust) May 7, 2026
sangsoo-osec Credited to sangsoo-osec, upbqdn, mpguerra, and defuse upbqdn upbqdn
mpguerra mpguerra defuse defuse
Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Critical
CVE-2026-41583 was published for zebra-script (Rust) Apr 18, 2026
conradoplg Credited to conradoplg, mpguerra, and sangsoo-osec mpguerra mpguerra
sangsoo-osec sangsoo-osec
Zebra has rk Identity Point Panic in Transaction Verification Critical
CVE-2026-41584 was published for zebra-chain (Rust) Apr 18, 2026
conradoplg Credited to conradoplg and mpguerra mpguerra mpguerra
Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output Critical
GHSA-pvmv-cwg8-v6c8 was published for zebra-script (Rust) May 8, 2026
sangsoo-osec Credited to sangsoo-osec and fivelittleducks fivelittleducks fivelittleducks
`mysten-metrics` was removed from crates.io for malicious code Critical
GHSA-g38r-8gmr-ghrf was published for mysten-metrics (Rust) May 4, 2026
`sui-execution-cut` was removed from crates.io for malicious code Critical
GHSA-qprh-m6p3-hwxc was published for sui-execution-cut (Rust) May 4, 2026
Brillig: Heap corruption in foreign call results with nested tuple arrays Critical
CVE-2026-41197 was published for brillig (Rust) Apr 21, 2026
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation Critical
CVE-2026-33471 was published for nimiq-block (Rust) Apr 22, 2026
1seal Credited to 1seal
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift Critical
CVE-2026-34971 was published for wasmtime (Rust) Apr 9, 2026
shumbo Credited to shumbo, bholley, and deian bholley bholley
deian deian
nimiq-blockchain is missing a wall-clock upper bound on block timestamps Critical
CVE-2026-40093 was published for nimiq-blockchain (Rust) Apr 10, 2026
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access Critical
CVE-2026-34987 was published for wasmtime (Rust) Apr 10, 2026
shumbo Credited to shumbo, bholley, and deian bholley bholley
deian deian
Zebra node crash — V5 transaction hash panic (P2P reachable) Critical
CVE-2026-34202 was published for zebra-chain (Rust) Mar 27, 2026
robustfengbin Credited to robustfengbin, arya2, conradoplg, upbqdn, mpguerra, and alchemydc arya2 arya2
conradoplg conradoplg upbqdn upbqdn mpguerra mpguerra alchemydc alchemydc
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface Critical
CVE-2026-30960 was published for rssn (Rust) Mar 10, 2026
panayang Credited to panayang
Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
CVE-2026-2835 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Critical
CVE-2026-2833 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
`time-sync` was removed from crates.io due to malicious code Critical
GHSA-mh23-rw7f-v5pq was published for time-sync (Rust) Mar 5, 2026
Duplicate Advisory: HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
GHSA-262p-vjx5-45xh was published for pingora-core (Rust) Mar 5, 2026 withdrawn
Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade Critical
GHSA-f9v3-j2m7-4hpg was published for pingora-core (Rust) Mar 5, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database