Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,521 advisories

Loading
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow... Critical Unreviewed
CVE-2026-35616 was published Apr 4, 2026
Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE... Critical Unreviewed
CVE-2018-25236 was published Apr 4, 2026
Hirschmann HiSecOS devices versions prior to 05.3.03 contain a buffer overflow vulnerability in... Critical Unreviewed
CVE-2018-25237 was published Apr 4, 2026
Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6... Critical Unreviewed
CVE-2021-4477 was published Apr 4, 2026
ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation... Critical Unreviewed
CVE-2017-20236 was published Apr 4, 2026
ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication... Critical Unreviewed
CVE-2017-20235 was published Apr 4, 2026
GarrettCom Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that... Critical Unreviewed
CVE-2017-20234 was published Apr 4, 2026
LiteLLM: Authentication bypass via OIDC userinfo cache key collision Critical
CVE-2026-35030 was published for litellm (pip) Apr 3, 2026
veria-labs Credited to veria-labs
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Critical
CVE-2026-35471 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
SandboxJS: Sandbox integrity escape Critical
CVE-2026-34208 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
fancymalware Credited to fancymalware
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity Critical
CVE-2026-33950 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist Critical
CVE-2026-31818 was published for @budibase/backend-core (npm) Apr 3, 2026
Moonster8282 Credited to Moonster8282
Improper certificate validation in the identity provider connection components in Amazon Athena... Critical Unreviewed
CVE-2026-35560 was published Apr 3, 2026
Insufficient authentication security controls in the browser-based authentication components in... Critical Unreviewed
CVE-2026-35561 was published Apr 3, 2026
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the... Critical Unreviewed
CVE-2026-25197 was published Apr 3, 2026
A specific endpoint exposes all user account information for registered Gardyn users without... Critical Unreviewed
CVE-2026-28766 was published Apr 3, 2026
Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication... Critical Unreviewed
CVE-2017-20237 was published Apr 3, 2026
The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal... Critical Unreviewed
CVE-2026-28373 was published Apr 3, 2026
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization Critical
CVE-2026-0545 was published for mlflow (pip) Apr 3, 2026
pymetasploit3 vulnerable to command injection in console.run_module_with_output() Critical
CVE-2026-5463 was published for pymetasploit3 (pip) Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload Critical
CVE-2026-35393 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload Critical
CVE-2026-35392 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34989 was published for ci4-cms-erp/ci4ms (Composer) Apr 3, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
Kedro has Arbitrary Code Execution via Malicious Logging Configuration Critical
CVE-2026-35171 was published for kedro (pip) Apr 3, 2026
Wernerina Credited to Wernerina
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database