Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

32,526 advisories

Loading
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key High
GHSA-fhp4-pr5j-46m5 was published for muhammara (npm) Jun 26, 2026
r3d5t0x3 Credited to r3d5t0x3
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system Moderate
GHSA-j7f5-gfqm-pcx3 was published for pterodactyl/panel (Composer) Jun 26, 2026
CybranceeHosting Credited to CybranceeHosting, YoloFTW, and TheCyberDesk YoloFTW YoloFTW
TheCyberDesk TheCyberDesk
Pterodactyl Wings: Chmod operation can be used to change permissions of files outside of the server container Moderate
GHSA-rhq6-9rgh-v45c was published for github.com/pterodactyl/wings (Go) Jun 26, 2026
Vz0n Credited to Vz0n
Flawfinder output manipulation via untrusted filenames and source text Low
CVE-2026-48813 was published for flawfinder (pip) Jun 26, 2026
python-socketio: Binary attachment accumulation can cause denial of service High
CVE-2026-48804 was published for python-socketio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
python-engineio has unbound thread allocation that can cause denial of service High
CVE-2026-48802 was published for python-engineio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin Critical
GHSA-98x5-vq43-vc5p was published for semantic-router (pip) Jun 26, 2026
jamescalam Credited to jamescalam
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced High
CVE-2026-48809 was published for python-engineio (pip) Jun 26, 2026
LinkifyIt#match scan loop has quadratic algorithmic complexity High
CVE-2026-48801 was published for linkify-it (npm) Jun 26, 2026
hillalee Credited to hillalee
turso-cli persists Turso platform JWT with world-readable (0o644) file permissions Moderate
CVE-2026-48790 was published for github.com/tursodatabase/turso-cli (Go) Jun 26, 2026
nono-py's policy JSON accepts unknown security fields Moderate
GHSA-m8j6-rc5x-wv36 was published for nono-py (pip) Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion Moderate
GHSA-9j7f-3r4p-pwh6 was published for nono-py (pip) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels Moderate
GHSA-72w7-mf9g-733p was published for nono-py (pip) Jun 26, 2026
lukehinds Credited to lukehinds
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint Moderate
CVE-2026-41262 was published for github.com/fleetdm/fleet/v4 (Go) Jun 26, 2026
offset Credited to offset
Hysteria: http large header with sniff cause server DoS High
GHSA-jqc5-2p7q-fqfc was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria vulnerable to server crash when max_datagram_frame_size very small High
GHSA-qh5x-rfwf-rvfv was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths Moderate
GHSA-5vwr-qchf-q4pf was published for @cyclonedx/cdxgen (npm) Jun 26, 2026
aleff-github Credited to aleff-github
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing High
CVE-2026-48788 was published for github.com/umputun/remark42 (Go) Jun 26, 2026
ildkh Credited to ildkh
Apptainer has incorrect path matching for 'limit container paths' directive Moderate
CVE-2026-48785 was published for github.com/apptainer/apptainer (Go) Jun 26, 2026
dtrudg Credited to dtrudg
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678) Moderate
CVE-2026-48782 was published for pydantic-ai (pip) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Incus has an arbitrary file write on its client due to trusted image hash Critical
CVE-2026-48769 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
@sigstore/core has DSSE payloadType type-binding failure Moderate
CVE-2026-48758 was published for @sigstore/core (npm) Jun 26, 2026
Str1ckl4nd Credited to Str1ckl4nd and Zyy0530 Zyy0530 Zyy0530
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database