Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

118 advisories

Loading
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out) High
GHSA-f5v8-v6q3-q4h6 was published for Meridian.Mapping (NuGet) Apr 16, 2026
free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication High
CVE-2026-40245 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor High
CVE-2026-29146 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation High
GHSA-jfwg-rxf3-p7r9 was published for github.com/authorizerdev/authorizer (Go) Apr 6, 2026
morimori-dev Credited to morimori-dev
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions` Moderate
CVE-2026-28786 was published for open-webui (pip) Mar 27, 2026
akshatgit Credited to akshatgit
Keycloak's identity-first login flow exposes user information Low
CVE-2026-4633 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
dnegreira Credited to dnegreira
free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques High
CVE-2026-33192 was published for github.com/free5gc/udm (Go) Mar 18, 2026
free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request Moderate
CVE-2026-33065 was published for github.com/free5gc/udm (Go) Mar 18, 2026
parse-server: Malformed `$regex` query leaks database error details in API response Moderate
CVE-2026-30835 was published for parse-server (npm) Mar 6, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Curio exposes database credentials to users with network access through verbose HTTP error responses High
GHSA-gj6x-q8rh-wj6x was published for github.com/filecoin-project/curio (Go) Feb 26, 2026
Apache Airflow error reporting may expose full kwargs Moderate
CVE-2025-65995 was published for apache-airflow (pip) Feb 21, 2026
OpenClaw session tool visibility hardening and Telegram webhook secret fallback Moderate
CVE-2026-27004 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
Libredesk has a SSRF Vulnerability in Webhooks Moderate
CVE-2026-26957 was published for github.com/abhinavxd/libredesk (Go) Feb 18, 2026
PlayerIUnknown Credited to PlayerIUnknown
Directus Vulnerable to Information Leakage in Existing Collections Moderate
CVE-2025-64749 was published for @directus/api (npm) Nov 13, 2025
sbstn-k Credited to sbstn-k and kmzs kmzs kmzs
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers Moderate
GHSA-xvp7-8vm8-xfxx was published for @actual-app/sync-server (npm) Oct 20, 2025
StoobertB Credited to StoobertB
ibexa/user login enumerates user accounts Moderate
GHSA-q3x8-6898-23g3 was published for ibexa/user (Composer) Oct 17, 2025
Canonical LXD Project Existence Determination Through Error Handling in Image Get Function Moderate
CVE-2025-54291 was published for github.com/canonical/lxd (Go) Oct 2, 2025
Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting Moderate
CVE-2025-43776 was published for com.liferay.portal:release.dxp.bom (Maven) Sep 9, 2025
TYPO3 CMS exposes sensitive information in an error message Moderate
CVE-2025-59016 was published for typo3/cms-core (Composer) Sep 9, 2025
Liferay Portal exposes 500 status when attempting login with a deleted client secret Moderate
CVE-2025-43777 was published for com.liferay:com.liferay.portal.security.sso.openid.connect.impl (Maven) Sep 9, 2025
OMERO.web displays unecessary user information when requesting password reset Moderate
CVE-2025-54791 was published for omero-web (pip) Aug 13, 2025
Infinispan CLI vulnerable to Generation of Error Message Containing Sensitive Information Moderate
CVE-2025-5731 was published for org.infinispan:infinispan-cli-client (Maven) Jun 27, 2025
Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation Moderate
CVE-2025-49128 was published for com.fasterxml.jackson.core:jackson-core (Maven) Jun 7, 2025
lucasdrufva Credited to lucasdrufva and gwittel gwittel gwittel
Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information Moderate
CVE-2025-4166 was published for github.com/hashicorp/vault (Go) May 2, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database