Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,574 advisories

Loading
LiteLLM: Authenticated command execution via MCP stdio test endpoints High
GHSA-v4p8-mg3p-g94g was published for litellm (pip) Apr 25, 2026
electurm has Command Injection via runLinux funtion Critical
CVE-2026-41501 was published for electerm (npm) Apr 24, 2026
FORIMOC Credited to FORIMOC
wlc: print_html outputs API data without HTML escaping Moderate
GHSA-gx2m-mcc2-r4p3 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
gitverify has improper tag signature verification Moderate
GHSA-h829-5cg7-6hff was published for github.com/supply-chain-tools/gitverify (Go) Apr 24, 2026
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) Moderate
GHSA-39h7-pwv7-rc3x was published for @excalidraw/excalidraw (npm) Apr 24, 2026
Kyverno Controller Denial of Service via forEach Mutation Panic High
CVE-2026-41485 was published for github.com/kyverno/kyverno (Go) Apr 24, 2026
thevilledev Credited to thevilledev
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection High
CVE-2026-41325 was published for getkirby/cms (Composer) Apr 24, 2026
offset Credited to offset
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware Moderate
CVE-2026-41263 was published for github.com/traefik/traefik (Go) Apr 24, 2026
kodareef5 Credited to kodareef5
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Moderate
CVE-2026-41174 was published for github.com/traefik/traefik (Go) Apr 24, 2026
tamemghq Credited to tamemghq
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width Moderate
GHSA-rrjr-v56m-ww88 was published for ParquetSharp (NuGet) Apr 24, 2026
adamreeve Credited to adamreeve, CurtHagenlocher, and marcin-krystianc CurtHagenlocher CurtHagenlocher
marcin-krystianc marcin-krystianc
TYPO3 CMS Stores Cleartext Password in User Settings Module High
CVE-2026-6553 was published for typo3/cms-backend (Composer) Apr 24, 2026
mclewing Credited to mclewing, garvinhicking, and ohader garvinhicking garvinhicking
ohader ohader
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync High
CVE-2026-40912 was published for github.com/traefik/traefik (Go) Apr 24, 2026
gouldnicholas Credited to gouldnicholas
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution High
CVE-2026-40068 was published for @anthropic-ai/claude-code (npm) Apr 24, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication High
CVE-2026-35051 was published for github.com/traefik/traefik (Go) Apr 24, 2026
Zwique Credited to Zwique
go-zserio has Unbounded Memory Allocation for All Platforms Critical
GHSA-xhj4-g6w8-2xjw was published for github.com/woven-planet/go-zserio (Go) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
rustls-webpki: Denial of service via panic on malformed CRL BIT STRING High
GHSA-82j2-j2ch-gfr8 was published for rustls-webpki (Rust) Apr 24, 2026
tynus3 Credited to tynus3
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover High
GHSA-4f9j-vr4p-642r was published for @budibase/backend-core (npm) Apr 24, 2026
AyushParkara Credited to AyushParkara
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
LiteLLM has SQL Injection in Proxy API key verification Critical
GHSA-r75f-5x8p-qvmc was published for litellm (pip) Apr 24, 2026
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database