Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,135 advisories

Loading
rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding Moderate
CVE-2026-44662 was published for openssl (Rust) May 7, 2026
utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol Moderate
CVE-2026-44661 was published for utcp-http (pip) May 7, 2026
netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow tables High
GHSA-v7qw-hx66-4w9x was published for netbox-data-flows (pip) May 7, 2026
xanode Credited to xanode
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI High
GHSA-fpw6-hrg5-q5x5 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft High
GHSA-p64j-f4x9-wq66 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo High
GHSA-8mc6-xjpr-h98x was published for github.com/lin-snow/ech0 (Go) May 7, 2026
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count Moderate
GHSA-pj6q-4vq4-r8cg was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation Moderate
GHSA-rgj7-vg8v-j4wr was published for github.com/lin-snow/ech0 (Go) May 7, 2026
VashuVats Credited to VashuVats
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers Moderate
GHSA-3v85-fqvh-7rxf was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0 comment model's Email field returned on public /api/comments endpoints Moderate
GHSA-rj4g-rqgh-rx9h was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution High
CVE-2026-44522 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
rvizx Credited to rvizx and enchant97 enchant97 enchant97
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
Zebra's Transparent SIGHASH_SINGLE Handling Diverges from zcashd for Corresponding Outputs Critical
GHSA-cwfq-rfcr-8hmp was published for zebrad (Rust) May 7, 2026
sangsoo-osec Credited to sangsoo-osec, defuse, and mpguerra defuse defuse
mpguerra mpguerra
Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer Critical
CVE-2026-44497 was published for zebra-script (Rust) May 7, 2026
sangsoo-osec Credited to sangsoo-osec
Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers Moderate
CVE-2026-44500 was published for zebra-chain (Rust) May 7, 2026
Zk-nd3r Credited to Zk-nd3r
Zebra's Block Validator Undercounts Coinbase and P2SH Sigops Critical
CVE-2026-44498 was published for zebrad (Rust) May 7, 2026
sangsoo-osec Credited to sangsoo-osec, upbqdn, mpguerra, and defuse upbqdn upbqdn
mpguerra mpguerra defuse defuse
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images Moderate
CVE-2026-42879 was published for facturascripts/facturascripts (Composer) May 7, 2026
guzrex Credited to guzrex
FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint Moderate
CVE-2026-42878 was published for facturascripts/facturascripts (Composer) May 7, 2026
preritpathak Credited to preritpathak
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases Moderate
CVE-2026-42877 was published for facturascripts/facturascripts (Composer) May 7, 2026
ormzro Credited to ormzro
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation Low
CVE-2026-27964 was published for facturascripts/facturascripts (Composer) May 7, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download Moderate
CVE-2026-27892 was published for facturascripts/facturascripts (Composer) May 7, 2026
sudo0xksh Credited to sudo0xksh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database