Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,695
Maven
5,000+
npm
5,000+
NuGet
934
pip
4,932
Pub
13
RubyGems
1,053
Rust
1,328
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,999 advisories

Loading
Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix Moderate
CVE-2026-44437 was published for @angular/ssr (npm) May 6, 2026
kimkou2024 Credited to kimkou2024, alan-agius4, dgp1130, and AndrewKushnir alan-agius4 alan-agius4
dgp1130 dgp1130 AndrewKushnir AndrewKushnir
ldap3_proto has LDAP Filter stack exhaustion High
GHSA-qcxq-75wr-5cm8 was published for ldap3_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero
kanidmd_lib: Image upload validators run before authorization; PNG validator panics on malformed input Moderate
GHSA-84jc-3hj2-hwc7 was published for kanidmd_lib (Rust) May 6, 2026
mbarbero Credited to mbarbero
scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion High
GHSA-r5fr-9gmv-jggh was published for kanidm_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero
Kanidm has non-constant-time comparison of OAuth2 client_secret Low
GHSA-53hj-r94p-8c8f was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery Moderate
GHSA-gpxg-fx2g-qxj2 was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed Low
GHSA-22w3-693w-x895 was published for webauthn-authenticator-rs (Rust) May 6, 2026
dorakemon Credited to dorakemon
ShellHub has crash-DoS via field injection in filter and sort-by parameters Moderate
CVE-2026-44425 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening Moderate
GHSA-cqmh-pcgr-q42f was published for @axonflow/openclaw (npm) May 6, 2026
ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data Moderate
CVE-2026-44423 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace Moderate
CVE-2026-44424 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-248h-974q-xrc2 was published for com.getaxonflow:axonflow-sdk (Maven) May 6, 2026
axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mph8-9v29-pm42 was published for @axonflow/sdk (npm) May 6, 2026
axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mhc4-qq83-fmrr was published for github.com/getaxonflow/axonflow-sdk-go/v5 (Go) May 6, 2026
axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-7f4h-6264-89fr was published for axonflow (pip) May 6, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
Netty epoll transport denial of service via RST on half-closed TCP connection High
CVE-2026-42577 was published for io.netty:netty-transport-native-epoll (Maven) May 6, 2026
Stormpx Credited to Stormpx
Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor) High
CVE-2026-0897 was published for keras (pip) May 6, 2026
HyperPS Credited to HyperPS
Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException High
CVE-2026-44375 was published for Nerdbank.MessagePack (NuGet) May 6, 2026
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks Moderate
CVE-2026-44374 was published for @backstage/plugin-catalog-backend-module-unprocessed (npm) May 6, 2026
Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override High
CVE-2026-42845 was published for getgrav/grav-plugin-form (Composer) May 6, 2026
fr0stydev Credited to fr0stydev
Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules Moderate
CVE-2026-44372 was published for nitro (npm) May 6, 2026
0x0OZ Credited to 0x0OZ
Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules` Moderate
CVE-2026-44373 was published for nitro (npm) May 6, 2026
mHe4am Credited to mHe4am
pyquorum: Timing side‑channel in mul_mod Moderate
CVE-2026-44368 was published for pyquorum (pip) May 6, 2026
MediaMTX affected by CVE-2026-27143 due to vulnerable dependency Low
GHSA-2ccx-cjjh-r2j8 was published for github.com/bluenviron/mediamtx (Go) May 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database