GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,624 advisories
Filter by severity
nono-py's policy JSON accepts unknown security fields
Moderate
GHSA-m8j6-rc5x-wv36
was published
for
nono-py
(pip)
Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion
Moderate
GHSA-9j7f-3r4p-pwh6
was published
for
nono-py
(pip)
Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Critical
CVE-2026-48797
was published
for
@mcptoolshop/backpropagate
(npm)
Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels
Moderate
GHSA-72w7-mf9g-733p
was published
for
nono-py
(pip)
Jun 26, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Moderate
CVE-2026-41262
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 26, 2026
Hysteria: http large header with sniff cause server DoS
High
GHSA-jqc5-2p7q-fqfc
was published
for
github.com/apernet/hysteria
(Go)
Jun 26, 2026
Hysteria vulnerable to server crash when max_datagram_frame_size very small
High
GHSA-qh5x-rfwf-rvfv
was published
for
github.com/apernet/hysteria
(Go)
Jun 26, 2026
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF
High
GHSA-vgrc-hq28-p3xp
was published
for
github.com/apernet/hysteria/core/v2
(Go)
Jun 26, 2026
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths
Moderate
GHSA-5vwr-qchf-q4pf
was published
for
@cyclonedx/cdxgen
(npm)
Jun 26, 2026
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
High
CVE-2026-48788
was published
for
github.com/umputun/remark42
(Go)
Jun 26, 2026
Apptainer has incorrect path matching for 'limit container paths' directive
Moderate
CVE-2026-48785
was published
for
github.com/apptainer/apptainer
(Go)
Jun 26, 2026
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Moderate
CVE-2026-48782
was published
for
pydantic-ai
(pip)
Jun 26, 2026
Incus has an arbitrary file write on its client due to trusted image hash
Critical
CVE-2026-48769
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
@sigstore/core has DSSE payloadType type-binding failure
Moderate
CVE-2026-48758
was published
for
@sigstore/core
(npm)
Jun 26, 2026
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
Low
CVE-2026-48756
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an argument injection in backup compression algorithm leading to AFW and ACE
Critical
CVE-2026-48755
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Low
CVE-2026-48754
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file write via path traversal in S3 multipart upload
Critical
CVE-2026-48753
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has arbitrary file read+write on host via templates/ symlink in malicious image
Critical
CVE-2026-48752
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has a restricted project bypass leading to arbitrary command execution
Critical
CVE-2026-48751
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image
Critical
CVE-2026-48750
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image
Critical
CVE-2026-48749
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
ImageMagick has Null Pointer Dereference caused by the distort operation when passing incorrect arguments
Moderate
CVE-2026-53463
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 26, 2026
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
High
CVE-2026-46623
was published
for
org.openidentityplatform.openam:openam-auth-oauth2
(Maven)
Jun 26, 2026
OpenAM Authentication Bypass via MSISDN LDAP Injection
High
CVE-2026-46619
was published
for
org.openidentityplatform.openam:openam-auth-msisdn
(Maven)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API