Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,580
Maven
5,000+
npm
5,000+
NuGet
919
pip
4,816
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,347 advisories

Loading
Glances has SSRF in IP Plugin via public_api leading to credential leakage High
CVE-2026-35587 was published for glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal High
CVE-2026-35570 was published for @gitlawb/openclaude (npm) Apr 21, 2026
Rickidevs Credited to Rickidevs
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading High
CVE-2026-33626 was published for lmdeploy (pip) Apr 21, 2026
stepanskyigor-orca Credited to stepanskyigor-orca
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens High
CVE-2026-33031 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
jaehonam Credited to jaehonam
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Critical
CVE-2026-32604 was published for io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
FastChat has Denial of Service Through Blocking Event Loop in Model Workers (Incomplete Fix for ff66426) Moderate
CVE-2026-6607 was published for fschat (pip) Apr 20, 2026
FastChat has a Content Moderation Bypass via Arena Side-by-Side Views Moderate
CVE-2026-6608 was published for fschat (pip) Apr 20, 2026
Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization Moderate
CVE-2026-6594 was published for @brikcss/merge (npm) Apr 20, 2026
RAGAS has SSRF via Multi-Modal Faithfulness Collections Module Low
CVE-2026-6587 was published for ragas (pip) Apr 20, 2026
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation Moderate
CVE-2026-40948 was published for apache-airflow-providers-keycloak (pip) Apr 18, 2026
Apache Airflow allows code execution through crafted XCom payloads Critical
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false Moderate
CVE-2026-30912 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries Low
CVE-2026-32690 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions High
CVE-2026-32228 was published for apache-airflow-core (pip) Apr 18, 2026
Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Critical
GHSA-8m29-fpq5-89jj was published for zebra-script (Rust) Apr 18, 2026
conradoplg Credited to conradoplg, mpguerra, and sangsoo-osec mpguerra mpguerra
sangsoo-osec sangsoo-osec
Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients Moderate
GHSA-29x4-r6jv-ff4w was published for zebra-rpc (Rust) Apr 18, 2026
upbqdn Credited to upbqdn, mpguerra, and conradoplg mpguerra mpguerra
conradoplg conradoplg
Zebra has rk Identity Point Panic in Transaction Verification Critical
GHSA-452v-w3gx-72wg was published for zebra-chain (Rust) Apr 18, 2026
conradoplg Credited to conradoplg and mpguerra mpguerra mpguerra
MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade Moderate
GHSA-9j88-vvj5-vhgr was published for MailKit (NuGet) Apr 18, 2026
ROCmertakdag Credited to ROCmertakdag
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
GHSA-cjcx-jfp2-f7m2 was published for pretalx (pip) Apr 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database