Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,665
Maven
5,000+
npm
5,000+
NuGet
931
pip
4,879
Pub
13
RubyGems
1,050
Rust
1,314
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,761 advisories

Loading
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers High
CVE-2026-43939 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql` High
CVE-2026-43937 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid High
CVE-2025-8267 was published for ssrfcheck (npm) May 5, 2026
lirantal Credited to lirantal
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured Moderate
CVE-2026-43901 was published for wireshark-mcp (pip) May 5, 2026
bx33661 Credited to bx33661
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover High
GHSA-mm2q-qcmx-gw4w was published for rustfs (Rust) May 5, 2026
kodareef5 Credited to kodareef5
Fiber vulnerable to XSS in AutoFormat Content Negotiation Moderate
CVE-2026-42554 was published for github.com/gofiber/fiber/v2 (Go) May 5, 2026
wodzen Credited to wodzen, gaby, ReneWerner87, and sixcolors gaby gaby
ReneWerner87 ReneWerner87 sixcolors sixcolors
link-preview-js vulnerable to IPv6 and internal loopback attacks High
CVE-2026-43897 was published for link-preview-js (npm) May 5, 2026
Andrew-most-likely Credited to Andrew-most-likely and ospfranco ospfranco ospfranco
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` Moderate
CVE-2026-42207 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS High
CVE-2026-42198 was published for org.postgresql:postgresql (Maven) May 5, 2026
sehrope Credited to sehrope
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint Moderate
CVE-2026-42600 was published for github.com/minio/minio (Go) May 5, 2026
adrian-doyensec Credited to adrian-doyensec and donatello donatello donatello
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
mugi-sec Credited to mugi-sec and onebeastchris onebeastchris onebeastchris
OpenBao's Namespace Deletion May Not Delete Data Properly Low
CVE-2026-42186 was published for github.com/openbao/openbao (Go) May 5, 2026
cipherboy Credited to cipherboy
exiftool-vendored vulnerable to argument injection via newline characters in tag names High
CVE-2026-43893 was published for exiftool-vendored (npm) May 5, 2026
Dobby153 Credited to Dobby153
requests-hardened is Vulnerable to Server-Side Request Forgery Moderate
CVE-2026-42175 was published for requests-hardened (pip) May 5, 2026
hits313 Credited to hits313
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs Critical
CVE-2026-42155 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload High
CVE-2026-42154 was published for github.com/prometheus/prometheus (Go) May 5, 2026
ShadowByte1 Credited to ShadowByte1
Prometheus Azure AD remote write OAuth client secret exposed via config API High
CVE-2026-42151 was published for github.com/prometheus/prometheus (Go) May 5, 2026
brettgervasoni Credited to brettgervasoni
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository High
GHSA-fr8x-3vfx-f45h was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository High
GHSA-pg4w-g64p-qwhj was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database