Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,707
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,938
Pub
13
RubyGems
1,053
Rust
1,332
Swift
54
Unreviewed advisories
All unreviewed
5,000+

4,080 advisories

Loading
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook Critical
CVE-2026-42596 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
R1ZZG0D Credited to R1ZZG0D
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Compromise of PyTorch Lightning PyPi Package Versions Critical
CVE-2026-44484 was published for pytorch-lightning (pip) May 7, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
misp-modules website - Missing CSRF protection in the website home blueprint Critical
CVE-2026-44364 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users Critical
CVE-2026-42555 was published for com.ritense.valtimo:case (Maven) May 6, 2026
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
GHSA-289f-fq7w-6q2w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
GHSA-9pq7-mfwh-xx2j was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules Critical
CVE-2026-44262 was published for dedoc/scramble (Composer) May 6, 2026
FORIMOC Credited to FORIMOC
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore Critical
CVE-2026-42238 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
captain99hook Credited to captain99hook
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API Critical
CVE-2026-29090 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API Critical
CVE-2026-29080 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass Critical
GHSA-vj3m-2g9h-vm4p was published for getgrav/grav (Composer) May 5, 2026
Proscan-one Credited to Proscan-one
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access Critical
CVE-2026-42613 was published for getgrav/grav (Composer) May 5, 2026
Baikuya Credited to Baikuya
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature Critical
CVE-2026-42607 was published for getgrav/grav (Composer) May 5, 2026
akgul7990 Credited to akgul7990
DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header Critical
CVE-2026-42300 was published for github.com/l3montree-dev/devguard (Go) May 5, 2026
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint Critical
CVE-2026-42281 was published for magicmirror (npm) May 5, 2026
Astaruf Credited to Astaruf
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs Critical
CVE-2026-42155 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
S3-Proxy has Security Issues in its Resource Path Matching Implementation Critical
CVE-2026-42882 was published for github.com/oxyno-zeta/s3-proxy (Go) May 5, 2026
argos83 Credited to argos83
Langflow Knowledge Bases API is Vulnerable to Path Traversal Critical
CVE-2026-42048 was published for langflow (pip) May 5, 2026
ddlxstudio Credited to ddlxstudio, nekros1xx, AntonioABLima, Cristhianzl, and andifilhohub nekros1xx nekros1xx
AntonioABLima AntonioABLima Cristhianzl Cristhianzl andifilhohub andifilhohub
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database