GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,624 advisories
Filter by severity
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55487
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Moderate
CVE-2026-55180
was published
for
pnpm
(npm)
Jun 26, 2026
ImageMagick has a Heap Buffer Over-Write in SF3 encoder when writing multi-frame image
Moderate
CVE-2026-53465
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 26, 2026
ImageMagick: Memory Leak in wand option parser when providing invalid arguments
Moderate
CVE-2026-53464
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 26, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
Moderate
CVE-2026-53523
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
Moderate
CVE-2026-53522
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Statamic Vulnerable to CSV formula injection in form submission exports
Moderate
CVE-2026-54243
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Critical
CVE-2026-53519
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context
Moderate
CVE-2026-53521
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing
Moderate
CVE-2026-53520
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
High
CVE-2026-50015
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Moderate
CVE-2026-50017
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
High
CVE-2026-50016
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Moderate
CVE-2026-50014
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field
Moderate
CVE-2026-50021
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Unsafe default behavior breaks integrity check
Moderate
CVE-2026-50573
was published
for
pnpm
(npm)
Jun 26, 2026
ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass
High
CVE-2026-47074
was published
for
ex_aws_sns
(Erlang)
Jun 26, 2026
js-toml has silent type confusion via falsy-primitive duplicate-key bypass
Moderate
CVE-2026-50029
was published
for
js-toml
(npm)
Jun 26, 2026
regclient may leak authentication credentials to external blob stores
Moderate
CVE-2026-49349
was published
for
github.com/regclient/regclient
(Go)
Jun 26, 2026
Authelia has an Edge Case Access Control Rule Mismatch
Low
CVE-2026-48794
was published
for
github.com/authelia/authelia/v4
(Go)
Jun 26, 2026
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check
Critical
GHSA-q6xx-5vr8-p898
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Blnk has an API key authorization bypass in owner and scope enforcement
High
GHSA-wcr3-9x4c-f5gj
was published
for
github.com/blnkfinance/blnk
(Go)
Jun 26, 2026
YARD static cache reads raw traversal paths before router sanitization
Moderate
CVE-2026-49342
was published
for
yard
(RubyGems)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API