Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,096 advisories

Loading
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0 High
CVE-2026-42339 was published for github.com/QuantumNous/new-api (Go) May 6, 2026
MeeseeksX Credited to MeeseeksX
DevSpace UI Server WebSocket CheckOrigin does not validate source High
CVE-2026-42283 was published for github.com/loft-sh/devspace (Go) May 6, 2026
b0b0haha Credited to b0b0haha
Auth.js SDK has Improper Permission Checking High
CVE-2026-42280 was published for auth0-js (npm) May 6, 2026
Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore Critical
CVE-2026-42238 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
captain99hook Credited to captain99hook
Nginx-UI Settings API Exposes Protected Secrets Moderate
CVE-2026-42223 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
yotampe-pluto Credited to yotampe-pluto
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover High
CVE-2026-42222 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
Kakeru-Ishii Credited to Kakeru-Ishii
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim High
CVE-2026-42221 was published for github.com/0xJacky/Nginx-UI (Go) May 6, 2026
R1ZZG0D Credited to R1ZZG0D
Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands Moderate
CVE-2026-42184 was published for tauri (Rust) May 6, 2026
grumpinout1 Credited to grumpinout1, chippers, FabianLars, and tweidinger chippers chippers
FabianLars FabianLars tweidinger tweidinger
Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input High
GHSA-hjph-f4mc-wx4c was published for mistune (pip) May 6, 2026 withdrawn
bhanugoudm041 Credited to bhanugoudm041
Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input High
CVE-2026-33079 was published for mistune (pip) May 6, 2026
kq5y Credited to kq5y
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API Critical
CVE-2026-29090 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API Critical
CVE-2026-29080 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
vLLM Vulnerable to Remote DoS via Special-Token Placeholders Moderate
CVE-2026-44222 was published for vllm (pip) May 5, 2026
wumingzhilian Credited to wumingzhilian
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization High
CVE-2026-43885 was published for wwbn/avideo (Composer) May 5, 2026
tronglinh23 Credited to tronglinh23
ciguard: Web UI is missing HTTP defence-in-depth headers Low
GHSA-7ww3-xvf5-cxwm was published for ciguard (pip) May 5, 2026
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
ciguard: Container image runs as root (no USER directive) Low
CVE-2026-44218 was published for ciguard (pip) May 5, 2026
ciguard: SCA HTTP client reads response body without size cap Moderate
CVE-2026-44219 was published for ciguard (pip) May 5, 2026
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine High
GHSA-mggx-p7jf-jgw4 was published for org.jdbi:jdbi3-freemarker (Maven) May 5, 2026
wodzen Credited to wodzen
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
authd: Primary group ID is incorrectly set to value of UID High
CVE-2026-6970 was published for github.com/canonical/authd (Go) May 5, 2026
nooreldeenmansour Credited to nooreldeenmansour, samikhan-de, and korhlibri samikhan-de samikhan-de
korhlibri korhlibri
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database