Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,670
Maven
5,000+
npm
5,000+
NuGet
931
pip
4,885
Pub
13
RubyGems
1,050
Rust
1,314
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,781 advisories

Loading
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data High
CVE-2026-42315 was published for pyload-ng (pip) May 5, 2026
Sab44 Credited to Sab44
phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID() High
CVE-2026-44167 was published for phpseclib/phpseclib (Composer) May 5, 2026
PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade Moderate
CVE-2026-44166 was published for github.com/pocketbase/pocketbase (Go) May 5, 2026
Alardiians Credited to Alardiians
changedetection.io has an Arbitrary Local File Read via a crafted backup restore High
CVE-2026-43891 was published for changedetection.io (pip) May 5, 2026
minhlh56 Credited to minhlh56
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts High
GHSA-jxh8-jh77-xh6g was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS Moderate
GHSA-7xp7-m392-h92c was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled High
GHSA-9fw6-xgg2-mq9q was published for github.com/apernet/hysteria/core/v2 (Go) May 5, 2026
Cherrling Credited to Cherrling
PyLoad Vulnerable to Path Traversal via Package Folder Name Moderate
CVE-2026-42314 was published for pyload-ng (pip) May 5, 2026
l3tchupkt Credited to l3tchupkt
Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains High
CVE-2026-42304 was published for Twisted (pip) May 5, 2026
tomasilluminati Credited to tomasilluminati
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection Moderate
CVE-2026-42303 was published for ethyca-fides (pip) May 5, 2026
RobertKeyser Credited to RobertKeyser and daveqnet daveqnet daveqnet
DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header Critical
CVE-2026-42300 was published for github.com/l3montree-dev/devguard (Go) May 5, 2026
GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference) High
CVE-2026-42285 was published for github.com/osrg/gobgp/v4 (Go) May 5, 2026
bacon251 Credited to bacon251
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint Critical
CVE-2026-42281 was published for magicmirror (npm) May 5, 2026
Astaruf Credited to Astaruf
Kimai vulnerable to formula Injection via tag names in XLSX export Moderate
CVE-2026-42267 was published for kimai/kimai (Composer) May 5, 2026
satexd Credited to satexd
JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request High
CVE-2026-42266 was published for jupyterlab (pip) May 5, 2026
pmcao Credited to pmcao, Yann-P, and krassowski Yann-P Yann-P
krassowski krassowski
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback Moderate
CVE-2026-42220 was published for github.com/0xJacky/Nginx-UI (Go) May 5, 2026
lilmingwa13 Credited to lilmingwa13
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers High
CVE-2026-43939 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql` High
CVE-2026-43937 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid High
CVE-2025-8267 was published for ssrfcheck (npm) May 5, 2026
lirantal Credited to lirantal
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured Moderate
CVE-2026-43901 was published for wireshark-mcp (pip) May 5, 2026
bx33661 Credited to bx33661
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database