Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,723
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,947
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

13,260 advisories

Loading
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images Moderate
CVE-2026-42879 was published for facturascripts/facturascripts (Composer) May 7, 2026
guzrex Credited to guzrex
FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint Moderate
CVE-2026-42878 was published for facturascripts/facturascripts (Composer) May 7, 2026
preritpathak Credited to preritpathak
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases Moderate
CVE-2026-42877 was published for facturascripts/facturascripts (Composer) May 7, 2026
ormzro Credited to ormzro
FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download Moderate
CVE-2026-27892 was published for facturascripts/facturascripts (Composer) May 7, 2026
sudo0xksh Credited to sudo0xksh
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context Moderate
CVE-2026-40610 was published for bentoml (pip) May 7, 2026
larlarua Credited to larlarua
Netty MQTT: Resource exhaustion in MqttDecoder Moderate
CVE-2026-44248 was published for io.netty:netty-codec-mqtt (Maven) May 7, 2026
chrisvest Credited to chrisvest
Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion Moderate
CVE-2026-42788 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich
Bandit trusts client-supplied URI scheme on plaintext connections Moderate
CVE-2026-39807 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header Moderate
CVE-2026-39805 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
gittuf's policy can be rolled back to prior valid versions Moderate
CVE-2026-44544 was published for github.com/gittuf/gittuf (Go) May 7, 2026
andrew Credited to andrew
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header) Moderate
GHSA-mmpx-jh39-wrv6 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
MuxiLyuLucy Credited to MuxiLyuLucy
docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler Moderate
CVE-2026-44520 was published for docling-graph (pip) May 7, 2026
ayoub-ibm Credited to ayoub-ibm and dolfim-ibm dolfim-ibm dolfim-ibm
imageproc: integer overflow in kernel size check leads to out-of-bounds read Moderate
GHSA-w5p8-4jcx-2j6r was published for imageproc (Rust) May 7, 2026
imageproc: Out-of-bounds read via NaN coordinates in bilinear/bicubic sampling Moderate
GHSA-qg8r-f7x3-25f7 was published for imageproc (Rust) May 7, 2026
imageproc has fragile bounds check when sampling from image Moderate
GHSA-5qv7-j6w5-fr4m was published for imageproc (Rust) May 7, 2026
ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check Moderate
CVE-2026-44426 was published for github.com/shellhub-io/shellhub (Go) May 7, 2026
Edu0x01 Credited to Edu0x01
hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression Moderate
GHSA-q2qq-hmj6-3wpp was published for hickory-proto (Rust) May 7, 2026
qifan-sailboat Credited to qifan-sailboat
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change Moderate
GHSA-258c-965c-p3hc was published for github.com/daptin/daptin (Go) May 7, 2026
VashuVats Credited to VashuVats
Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users Moderate
CVE-2026-44514 was published for github.com/kubetail-org/kubetail/modules/cli (Go) May 7, 2026
go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth Moderate
CVE-2026-42328 was published for github.com/ipld/go-ipld-prime (Go) May 7, 2026
yuliyu123 Credited to yuliyu123
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest Moderate
CVE-2026-42081 was published for github.com/free5gc/amf (Go) May 7, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes Moderate
CVE-2026-42593 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes Moderate
CVE-2026-42592 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database