GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,642
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+
29,596 advisories
Filter by severity
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Moderate
CVE-2026-42051
was published
for
getkirby/cms
(Composer)
May 4, 2026
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
Moderate
CVE-2026-42174
was published
for
getkirby/cms
(Composer)
May 4, 2026
Kirby CMS's read access to site, user and role information is not gated by permissions
High
CVE-2026-42069
was published
for
getkirby/cms
(Composer)
May 4, 2026
Incus is affected by unbounded binary import disk exhaustion
Moderate
CVE-2026-41685
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has Nil Dereferences on Restore via Malformed YAML
Moderate
CVE-2026-41684
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has Unbounded YAML Metadata Decode via Parsing
Low
CVE-2026-41648
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has Nil-Pointer Dereference via S3 Bucket Import
Moderate
CVE-2026-41647
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Kata Container has CopyFile Policy Subversion via Symlinks
High
CVE-2026-41326
was published
for
github.com/kata-containers/kata-containers
(Go)
May 4, 2026
OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange
Critical
CVE-2026-41258
was published
for
org.openmrs.api:openmrs-api
(Maven)
May 4, 2026
Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service
Moderate
CVE-2026-41181
was published
for
github.com/traefik/traefik/v2
(Go)
May 4, 2026
Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move
High
CVE-2026-40893
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 4, 2026
Incus Vulnerable to Panic via Snapshot Bounds Check
Moderate
CVE-2026-40251
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots
Low
CVE-2026-40243
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has a Nil-Pointer Dereference via Custom Volume Import
Moderate
CVE-2026-40197
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has a Nil-Pointer Dereference Panic via Bucket Metadata
Moderate
CVE-2026-40195
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)
High
CVE-2026-40076
was published
for
org.openmrs.web:openmrs-web
(Maven)
May 4, 2026
Quarkus has Authentication/Authorization bypasses
High
CVE-2026-39852
was published
for
io.quarkus:quarkus-vertx-http
(Maven)
May 4, 2026
OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read
High
CVE-2026-40075
was published
for
org.openmrs.web:openmrs-web
(Maven)
May 4, 2026
Incus has Blind SSRF via Image Import Preflight HEAD
Moderate
CVE-2026-35527
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
OpenClaw: Slack thread context could include messages from non-allowlisted senders
Low
CVE-2026-41358
was published
for
openclaw
(npm)
May 4, 2026
VM2 Sandbox Breakout Through __lookupGetter__
Critical
CVE-2026-24118
was published
for
vm2
(npm)
May 4, 2026
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
High
CVE-2026-42137
was published
for
getkirby/cms
(Composer)
Apr 30, 2026
ps_checkout allows unauthorized method invocation through unvalidated parameter
Low
GHSA-mqq7-wxx5-mp8h
was published
for
prestashop/ps_checkout
(Composer)
Apr 30, 2026
Contras Affected by CopyFile Policy Subversion via Symlinks
High
GHSA-rh99-wc69-c255
was published
for
github.com/edgelesssys/contrast
(Go)
Apr 30, 2026
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
High
CVE-2026-42461
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
Apr 30, 2026
ProTip!
Advisories are also available from the
GraphQL API