GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,624 advisories
Filter by severity
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
High
CVE-2026-49822
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
High
CVE-2026-49821
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec
High
GHSA-7m8x-qg2j-4m3v
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Sigstore Java has a vulnerability with bundle verification of integratedTime
Low
CVE-2026-48791
was published
for
dev.sigstore:sigstore-java
(Maven)
Jun 30, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
High
CVE-2026-49473
was published
for
@cedar-policy/authorization-for-expressjs
(npm)
Jun 30, 2026
Kahi has privilege-drop and socket/log permission issues
High
GHSA-55f6-4pr5-c7m5
was published
for
github.com/kahiteam/kahi
(Go)
Jun 30, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
High
CVE-2026-47198
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API
Moderate
CVE-2023-46118
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins
Moderate
CVE-2022-31008
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing
High
CVE-2026-49451
was published
for
Microsoft.OpenAPI
(NuGet)
Jun 30, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
High
CVE-2026-44840
was published
for
github.com/dgraph-io/dgraph/v25
(Go)
Jun 29, 2026
OpenAM OAuth Authorization Bypass via PKCE Challenge
Moderate
CVE-2026-48717
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
High
CVE-2026-47426
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM Authenticated RCE via Groovy Sandbox Escape
High
CVE-2026-47424
was published
for
org.openidentityplatform.openam:openam-scripting
(Maven)
Jun 29, 2026
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
High
GHSA-qrv3-253h-g69c
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: `patch-remove` could delete project-selected files outside the patches directory
High
GHSA-72r4-9c5j-mj57
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules
High
GHSA-fr4h-3cph-29xv
was published
for
pnpm
(npm)
Jun 27, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Moderate
GHSA-ww5p-j6cj-6mqq
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
High
CVE-2026-55700
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Reserved bin name deletes PNPM_HOME during global remove
Moderate
CVE-2026-55699
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes
High
CVE-2026-55698
was published
for
pnpm
(npm)
Jun 26, 2026
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
High
CVE-2026-49338
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists
High
CVE-2026-49339
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host
High
CVE-2026-49340
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
High
CVE-2026-55697
was published
for
pnpm
(npm)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API