GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
29,665 advisories
webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments
High
GHSA-fc86-6rv6-2jpm
was published
for
webonyx/graphql-php
(Composer)
May 4, 2026
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
High
CVE-2026-42313
was published
for
pyload-ng
(pip)
May 4, 2026
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
Moderate
CVE-2026-42312
was published
for
pyload-ng
(pip)
May 4, 2026
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Moderate
CVE-2026-42257
was published
for
net-imap
(RubyGems)
May 4, 2026
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Moderate
CVE-2026-42258
was published
for
net-imap
(RubyGems)
May 4, 2026
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
Moderate
CVE-2026-42256
was published
for
net-imap
(RubyGems)
May 4, 2026
net-imap has quadratic complexity when reading response literals
Low
CVE-2026-42245
was published
for
net-imap
(RubyGems)
May 4, 2026
net-imap vulnerable to STARTTLS stripping via invalid response timing
High
CVE-2026-42246
was published
for
net-imap
(RubyGems)
May 4, 2026
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
Critical
CVE-2026-42601
was published
for
archivebox
(pip)
May 4, 2026
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
High
CVE-2026-42575
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
High
CVE-2026-42574
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
Moderate
CVE-2026-42576
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
Pelican Web UI Affected by a Privilege Escalation Attack
Critical
CVE-2026-42571
was published
for
github.com/pelicanplatform/pelican
(Go)
May 4, 2026
phpVMS has an /importer authorization bypass causing full database wipe
Critical
CVE-2026-42569
was published
for
nabeel/phpvms
(Composer)
May 4, 2026
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field
High
GHSA-q4ph-8x8g-95f8
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration
Moderate
GHSA-qff7-q5fm-8p76
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption
Moderate
GHSA-4fm3-ggg2-c6qx
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass
High
CVE-2026-42606
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload
High
CVE-2026-42605
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
Moderate
CVE-2026-42333
was published
for
io.quarkiverse.openapi.generator:quarkus-openapi-generator
(Maven)
May 4, 2026
ProTip!
Advisories are also available from the
GraphQL API