Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10,363 advisories

Loading
GitPython has Command Injection via Git options bypass High
GHSA-rpm5-65cw-6hj4 was published for GitPython (pip) Apr 25, 2026
WesR Credited to WesR
GitPython: Unsafe option check validates multi_options before shlex.split transformation High
GHSA-x2qx-6953-8485 was published for GitPython (pip) Apr 25, 2026
Texuguinho1234 Credited to Texuguinho1234
Cillium exposes sensitive information included in the cilium-bugtool debug archive High
CVE-2026-41520 was published for github.com/cilium/cilium (Go) Apr 25, 2026
tklauser Credited to tklauser and kodareef5 kodareef5 kodareef5
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
GHSA-74m3-9qvm-rp9h was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
Heimdall has an authorization bypass via path normalization mismatch High
GHSA-3q34-rx83-r6mq was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass High
GHSA-72h4-mxfc-jx37 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
GHSA-43jv-5j4x-qv67 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
LiteLLM: Authenticated command execution via MCP stdio test endpoints High
GHSA-v4p8-mg3p-g94g was published for litellm (pip) Apr 25, 2026
Kyverno Controller Denial of Service via forEach Mutation Panic High
CVE-2026-41485 was published for github.com/kyverno/kyverno (Go) Apr 24, 2026
thevilledev Credited to thevilledev
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection High
CVE-2026-41325 was published for getkirby/cms (Composer) Apr 24, 2026
offset Credited to offset
TYPO3 CMS Stores Cleartext Password in User Settings Module High
CVE-2026-6553 was published for typo3/cms-backend (Composer) Apr 24, 2026
mclewing Credited to mclewing, garvinhicking, and ohader garvinhicking garvinhicking
ohader ohader
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync High
CVE-2026-40912 was published for github.com/traefik/traefik (Go) Apr 24, 2026
gouldnicholas Credited to gouldnicholas
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution High
CVE-2026-40068 was published for @anthropic-ai/claude-code (npm) Apr 24, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication High
CVE-2026-35051 was published for github.com/traefik/traefik (Go) Apr 24, 2026
Zwique Credited to Zwique
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
rustls-webpki: Denial of service via panic on malformed CRL BIT STRING High
GHSA-82j2-j2ch-gfr8 was published for rustls-webpki (Rust) Apr 24, 2026
tynus3 Credited to tynus3
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover High
GHSA-4f9j-vr4p-642r was published for @budibase/backend-core (npm) Apr 24, 2026
AyushParkara Credited to AyushParkara
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
GHSA-qc5p-3mg5-9fh8 was published for avo (RubyGems) Apr 24, 2026
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
GHSA-xqmj-j6mv-4862 was published for litellm (pip) Apr 24, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler High
GHSA-f5v4-2wr6-hqmg was published for russh (Rust) Apr 24, 2026
coreyleavitt Credited to coreyleavitt
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database