GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,663
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,878
Pub
13
RubyGems
1,050
Rust
1,314
Swift
53
Unreviewed advisories
All unreviewed
5,000+
29,751 advisories
Filter by severity
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured
Moderate
CVE-2026-43901
was published
for
wireshark-mcp
(pip)
May 5, 2026
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover
High
GHSA-mm2q-qcmx-gw4w
was published
for
rustfs
(Rust)
May 5, 2026
Fiber vulnerable to XSS in AutoFormat Content Negotiation
Moderate
CVE-2026-42554
was published
for
github.com/gofiber/fiber/v2
(Go)
May 5, 2026
link-preview-js vulnerable to IPv6 and internal loopback attacks
High
CVE-2026-43897
was published
for
link-preview-js
(npm)
May 5, 2026
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`
Moderate
CVE-2026-42207
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS
High
CVE-2026-42198
was published
for
org.postgresql:postgresql
(Maven)
May 5, 2026
django-s3file is vulnerable to relative path traversal
Critical
CVE-2026-42196
was published
for
django-s3file
(pip)
May 5, 2026
MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint
Moderate
CVE-2026-42600
was published
for
github.com/minio/minio
(Go)
May 5, 2026
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Moderate
CVE-2026-42194
was published
for
admidio/admidio
(Composer)
May 5, 2026
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser
Low
CVE-2026-42188
was published
for
org.geysermc.geyser:core
(Maven)
May 5, 2026
OpenBao's Namespace Deletion May Not Delete Data Properly
Low
CVE-2026-42186
was published
for
github.com/openbao/openbao
(Go)
May 5, 2026
exiftool-vendored vulnerable to argument injection via newline characters in tag names
High
CVE-2026-43893
was published
for
exiftool-vendored
(npm)
May 5, 2026
requests-hardened is Vulnerable to Server-Side Request Forgery
Moderate
CVE-2026-42175
was published
for
requests-hardened
(pip)
May 5, 2026
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
Critical
CVE-2026-42155
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
High
CVE-2026-42154
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
Prometheus Azure AD remote write OAuth client secret exposed via config API
High
CVE-2026-42151
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter
Moderate
CVE-2026-42140
was published
for
org.xwiki.contrib.plantuml:macro-plantuml-macro
(Maven)
May 5, 2026
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository
High
GHSA-fr8x-3vfx-f45h
was published
for
gitoxide
(Rust)
May 5, 2026
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository
High
GHSA-pg4w-g64p-qwhj
was published
for
gitoxide
(Rust)
May 5, 2026
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data
High
GHSA-x494-mj8g-cj27
was published
for
gix-pack
(Rust)
May 5, 2026
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules
High
GHSA-f26g-jm89-4g65
was published
for
gix
(Rust)
May 5, 2026
gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure
High
GHSA-p3hw-mv63-rf9w
was published
for
gix
(Rust)
May 5, 2026
gix-transport: HTTP credentials leaked to redirected host in curl backend
Moderate
GHSA-9857-6mw7-fq2m
was published
for
gix-transport
(Rust)
May 5, 2026
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
Moderate
CVE-2026-43878
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
Moderate
CVE-2026-43877
was published
for
wwbn/avideo
(Composer)
May 5, 2026
ProTip!
Advisories are also available from the
GraphQL API