GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
17 advisories
Filter by severity
Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container
Moderate
CVE-2026-50565
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Moderate
CVE-2026-49336
was published
for
@microsoft/kiota-http-fetchlibrary
(npm)
Jun 26, 2026
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
High
CVE-2026-49260
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
Low
CVE-2026-48756
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Low
CVE-2026-48754
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
Moderate
CVE-2026-48504
was published
for
opentelemetry_sdk
(Rust)
Jun 25, 2026
AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel
Moderate
GHSA-7cqp-7cfv-6c3q
was published
for
wwbn/avideo
(Composer)
Jun 23, 2026
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
High
CVE-2026-50137
was published
for
@budibase/server
(npm)
Jun 22, 2026
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
Critical
GHSA-wfqx-gjrf-g28r
was published
for
github.com/crossplane/crossplane
(Go)
Jun 19, 2026
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
High
CVE-2026-9697
was published
for
undici
(npm)
Jun 18, 2026
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
Moderate
CVE-2026-54285
was published
for
@opentelemetry/core
(npm)
Jun 15, 2026
aiohttp: CRLF injection in multipart headers
Low
CVE-2026-50269
was published
for
aiohttp
(pip)
Jun 15, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
Moderate
CVE-2026-53655
was published
for
tar
(npm)
Jun 15, 2026
tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template
High
CVE-2026-49982
was published
for
tmp
(npm)
Jun 15, 2026
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted)
Moderate
CVE-2026-47753
was published
for
github.com/lxc/incus/v7
(Go)
Jun 10, 2026
ProTip!
Advisories are also available from the
GraphQL API