Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

54 advisories

Loading
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses Low
GHSA-hw5x-4r37-72w7 was published for github.com/opentofu/opentofu (Go) Apr 14, 2026
Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions Critical
GHSA-3hfp-gqgh-xc5g was published for @lightdash/cli (npm) Apr 2, 2026
Axios npm Supply Chain Incident Impacting @usebruno/cli Critical
CVE-2026-34841 was published for @usebruno/cli (npm) Apr 2, 2026
mcp-handler has a tool response leak across concurrent client sessions ('Race Condition') High
GHSA-w2fm-25vw-vh7f was published for mcp-handler (npm) Apr 1, 2026
EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory High
GHSA-32wq-ppwg-3w4m was published for EnhancedLinq.Async (NuGet) Apr 1, 2026
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
Postiz App has a High-Severity SSRF Vulnerability via Next.js High
GHSA-vj2p-7pgw-g2wf was published for postiz (npm) Mar 27, 2026
egelhaus Credited to egelhaus
C2C CI utils is vulnerable to DoS via pyasn dependency (CVE-2026-30922) High
GHSA-wcjx-v2wj-xg87 was published for c2cciutils (pip) Mar 26, 2026
splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution Critical
GHSA-h8w2-rv57-vc6f was published for com.splunk:splunk-otel-javaagent (Maven) Mar 26, 2026
fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing High
GHSA-g3qj-j598-cxmq was published for fido2-lib (npm) Mar 24, 2026
Xvush Credited to Xvush and JamesCullum JamesCullum JamesCullum
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version High
GHSA-2mhw-8qcg-gr96 was published for skia-python (pip) Mar 19, 2026
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk High
GHSA-q382-vc8q-7jhj was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
anaximand3r Credited to anaximand3r
Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121 Moderate
GHSA-594f-3595-c47v was published for github.com/argoproj-labs/terraform-provider-argocd (Go) Mar 18, 2026
Traefik affected by TLS ClientAuth Bypass on HTTP/3 High
GHSA-gv8r-9rw9-9697 was published for github.com/traefik/traefik (Go) Feb 20, 2026
rbqvq Credited to rbqvq
Centrifugo v6.6.0 dependency vulnerabilities Moderate
GHSA-j9wf-6r2x-hqmx was published for github.com/centrifugal/centrifugo/v6 (Go) Feb 19, 2026
samir-is-here Credited to samir-is-here
Gogs vulnerable to Stored XSS via Mermaid diagrams High
GHSA-26gq-grmh-6xm6 was published for gogs.io/gogs (Go) Feb 6, 2026
jdomeracki Credited to jdomeracki
FrankenPHP has delayed propagation of security fixes in upstream base images Critical
GHSA-x9p2-77v6-6vhf was published for github.com/dunglas/frankenphp (Go) Feb 5, 2026
opctim Credited to opctim and dunglas dunglas dunglas
OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format Low
GHSA-r92c-9c7f-3pj8 was published for github.com/opentofu/opentofu (Go) Jan 21, 2026
Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency Moderate
GHSA-vvg7-8rmq-92g7 was published for auth0/wordpress (Composer) Dec 17, 2025
Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK Moderate
GHSA-f3r2-88mq-9v4g was published for auth0/symfony (Composer) Dec 17, 2025
Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency Moderate
GHSA-7hh9-gp72-wh7h was published for auth0/login (Composer) Dec 17, 2025
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up High
GHSA-5j59-xgg2-r9c4 was published for next (npm) Dec 12, 2025
xpertforextradeinc Credited to xpertforextradeinc
Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components Moderate
GHSA-c6m7-q6pr-c64r was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
Vite Plugin React has a Denial of Service Vulnerability in React Server Components High
GHSA-cpqf-f22c-r95x was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
Next Server Actions Source Code Exposure Moderate
GHSA-w37m-7fhw-fmv9 was published for next (npm) Dec 11, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database