Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

31,373 advisories

Loading
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length High
CVE-2026-44893 was published for io.netty:netty-codec-haproxy (Maven) Jun 8, 2026
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size High
CVE-2026-44892 was published for io.netty:netty-codec-http3 (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty has Unbounded Direct Memory Consumption in its RedisDecoder High
CVE-2026-44890 was published for io.netty:netty-codec-redis (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays High
CVE-2026-44250 was published for io.netty:netty-codec-redis (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking High
CVE-2026-44249 was published for io.netty:netty-handler (Maven) Jun 8, 2026
violetagg Credited to violetagg
actual Allows Electron to Run As Node Moderate
CVE-2026-42890 was published for actual (npm) Jun 8, 2026
mustafa-sec Credited to mustafa-sec
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type Moderate
CVE-2026-41479 was published for authlib (pip) Jun 8, 2026
rise0311 Credited to rise0311
GeoNode contains a server-side request forgery vulnerability in the service registration endpoint Moderate
CVE-2026-39922 was published for geonode (pip) Jun 8, 2026
CodingRule Credited to CodingRule
Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points High
CVE-2026-47732 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot
Twig: XSS in profiler HtmlDumper via unescaped template and profile names Low
CVE-2026-47730 was published for twig/twig (Composer) Jun 5, 2026
nicolas-grekas Credited to nicolas-grekas
Bugsink: DOS using large numbers of event tags Moderate
GHSA-5x67-j5xg-c5gj was published for bugsink (pip) Jun 5, 2026
Bugsink: Project scoping missing in sourcemap and debug-file lookup Moderate
CVE-2026-47728 was published for bugsink (pip) Jun 5, 2026
ShuluZhuo Credited to ShuluZhuo
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known Low
CVE-2026-47716 was published for bugsink (pip) Jun 5, 2026
Susen2 Credited to Susen2
Bugsink: Issue event views can show an event from another project if its UUID is known Low
CVE-2026-47715 was published for bugsink (pip) Jun 5, 2026
nuiifornet Credited to nuiifornet
Twig: Possible sandbox bypass when using a source policy High
CVE-2026-24425 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot, wsparks-vc, XavLimSG, and Vincent550102 wsparks-vc wsparks-vc
XavLimSG XavLimSG Vincent550102 Vincent550102
Shopper: Authorization bypass and RBAC privilege escalation in team settings Critical
CVE-2026-47744 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Multiple data integrity and disclosure issues in admin Livewire components High
CVE-2026-47743 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables Moderate
CVE-2026-47745 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Missing authorization on Product admin Livewire sub-form components Moderate
CVE-2026-47742 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection High
CVE-2026-47761 was published for TinyMCE (Composer) Jun 5, 2026
UncleJ4ck Credited to UncleJ4ck and ange-primiterra ange-primiterra ange-primiterra
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments High
CVE-2026-47762 was published for TinyMCE (Composer) Jun 5, 2026
he1d3n Credited to he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes High
CVE-2026-47759 was published for TinyMCE (Composer) Jun 5, 2026
mtrill47 Credited to mtrill47 and he1d3n he1d3n he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs High
CVE-2026-47760 was published for TinyMCE (Composer) Jun 5, 2026
maple3142 Credited to maple3142
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) Critical
CVE-2026-47731 was published for ait-core (pip) Jun 5, 2026
ehtec Credited to ehtec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database