Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,880
Maven
5,000+
npm
5,000+
NuGet
958
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,364
Swift
54
Unreviewed advisories
All unreviewed
5,000+

14,361 advisories

Loading
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server Low
GHSA-pxh5-6rrc-8rjv was published for github.com/opentofu/opentofu (Go) May 20, 2026
HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or... Low Unreviewed
CVE-2025-31985 was published May 20, 2026
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View... Low Unreviewed
CVE-2026-8491 was published May 20, 2026
Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with... Low Unreviewed
CVE-2026-8492 was published May 20, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Turbo: Unexpected local code execution during Yarn Berry detection Low
CVE-2026-45772 was published for @turbo/codemod (npm) May 19, 2026
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection Low
CVE-2026-45803 was published for github.com/cli/cli (Go) May 19, 2026
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs Low
CVE-2026-45739 was published for strawberry-graphql (pip) May 19, 2026
lpschroer Credited to lpschroer, bellini666, and patrick91 bellini666 bellini666
patrick91 patrick91
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network ... Low Unreviewed
CVE-2025-14575 was published May 19, 2026
go-git: Improper single-quote escaping in go-git SSH transport Low
CVE-2026-45570 was published for github.com/go-git/go-git (Go) May 19, 2026
N0zoM1z0 Credited to N0zoM1z0 and hiddeco hiddeco hiddeco
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin... Low Unreviewed
CVE-2026-7860 was published May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. Low Unreviewed
CVE-2026-25110 was published May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. Low Unreviewed
CVE-2026-33565 was published May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. Low Unreviewed
CVE-2026-27781 was published May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. Low Unreviewed
CVE-2026-28751 was published May 19, 2026
Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape... Low Unreviewed
CVE-2026-47090 was published May 18, 2026
Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to... Low Unreviewed
CVE-2026-45244 was published May 18, 2026
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp Low
GHSA-jgg6-4rpr-wfh7 was published for @mistralai/mistralai (npm) May 18, 2026
jean-malo Credited to jean-malo
Sulu: Used API Keys may be available via Admin API Low
GHSA-9m6v-8fxc-4r44 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, and alexander-schranz mamazu mamazu
alexander-schranz alexander-schranz
LibreNMS: Cross-Site Scripting in ShowConfigController Low
CVE-2026-2728 was published for librenms/librenms (Composer) May 18, 2026
YuriNek0 Credited to YuriNek0
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML Low
GHSA-97r8-rf7q-wmjw was published for @sveltia/cms (npm) May 18, 2026
blacksolo1 Credited to blacksolo1
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from... Low Unreviewed
CVE-2026-4643 was published May 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database