Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10,081 advisories

Loading
Pretext: Algorithmic Complexity (DoS) in the text analysis phase High
GHSA-5478-66c3-rhxr was published for @chenglou/pretext (npm) Apr 8, 2026
NapongiZero Credited to NapongiZero
basic-ftp has FTP Command Injection via CRLF High
GHSA-chqc-8p9q-pq6q was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
AGiXT Vulnerable to Path Traversal in safe_join() High
GHSA-5gfj-64gh-mgmw was published for agixt (pip) Apr 8, 2026
YeranG30 Credited to YeranG30
Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens High
GHSA-349c-2h2f-mxf6 was published for laravel/passport (Composer) Apr 8, 2026
pushpak1300 Credited to pushpak1300
n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode High
GHSA-4ggg-h7ph-26qr was published for n8n-mcp (npm) Apr 8, 2026
ibrahmsql Credited to ibrahmsql
mercure has Topic Selector Cache Key Collision High
GHSA-hwr4-mq23-wcv5 was published for github.com/dunglas/mercure (Go) Apr 8, 2026
dunglas Credited to dunglas
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service High
GHSA-xrw6-gwf8-vvr9 was published for Tmds.DBus (NuGet) Apr 8, 2026
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications High
CVE-2026-39885 was published for @frontmcp/adapters (npm) Apr 8, 2026
TharVid Credited to TharVid and frontegg-david frontegg-david frontegg-david
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server High
CVE-2026-39889 was published for praisonai (pip) Apr 8, 2026
srisowmya2000 Credited to srisowmya2000
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution High
CVE-2026-31040 was published for stata-mcp (pip) Apr 8, 2026
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit High
CVE-2026-27806 was published for github.com/fleetdm/fleet/v4 (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables High
CVE-2026-5795 was published for org.eclipse.jetty.ee10:jetty-ee10 (Maven) Apr 8, 2026
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write High
CVE-2026-34589 was published for OpenEXR (pip) Apr 8, 2026
quangIO Credited to quangIO
OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write High
CVE-2026-34588 was published for OpenEXR (pip) Apr 8, 2026
quangIO Credited to quangIO
kcp's cache server is accessible without authentication or authorization checks High
CVE-2026-39429 was published for github.com/kcp-dev/kcp (Go) Apr 8, 2026
ntnn Credited to ntnn
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates High
CVE-2026-35525 was published for liquidjs (npm) Apr 8, 2026
Jvr2022 Credited to Jvr2022
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API High
CVE-2026-33229 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 8, 2026
azefzafyoussef Credited to azefzafyoussef
Drizzle ORM has SQL injection via improperly escaped SQL identifiers High
CVE-2026-39356 was published for drizzle-orm (npm) Apr 8, 2026
EthanKim88 Credited to EthanKim88 and 0x90sh 0x90sh 0x90sh
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix High
CVE-2026-35581 was published for gov.nsa.emissary:emissary (Maven) Apr 8, 2026
BrennanTM Credited to BrennanTM
FastFeedParser has an infinite redirect loop DoS via meta-refresh chain High
CVE-2026-39376 was published for fastfeedparser (pip) Apr 8, 2026
redyank Credited to redyank
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests High
CVE-2026-39371 was published for rwsdk (npm) Apr 8, 2026
zebbern Credited to zebbern
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database