Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,642
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,596 advisories

Loading
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users Moderate
CVE-2026-42051 was published for getkirby/cms (Composer) May 4, 2026
HuajiHD Credited to HuajiHD and 0x-bala 0x-bala 0x-bala
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions Moderate
CVE-2026-42174 was published for getkirby/cms (Composer) May 4, 2026
Kirby CMS's read access to site, user and role information is not gated by permissions High
CVE-2026-42069 was published for getkirby/cms (Composer) May 4, 2026
HuajiHD Credited to HuajiHD
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Nil Dereferences on Restore via Malformed YAML Moderate
CVE-2026-41684 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Low
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Nil-Pointer Dereference via S3 Bucket Import Moderate
CVE-2026-41647 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, and fidencio calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio
OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange Critical
CVE-2026-41258 was published for org.openmrs.api:openmrs-api (Maven) May 4, 2026
snomi Credited to snomi and Volcore Volcore Volcore
Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service Moderate
CVE-2026-41181 was published for github.com/traefik/traefik/v2 (Go) May 4, 2026
lalalala5678 Credited to lalalala5678
Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move High
CVE-2026-40893 was published for github.com/gotenberg/gotenberg/v8 (Go) May 4, 2026
AnuragBathani Credited to AnuragBathani
Incus Vulnerable to Panic via Snapshot Bounds Check Moderate
CVE-2026-40251 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots Low
CVE-2026-40243 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has a Nil-Pointer Dereference via Custom Volume Import Moderate
CVE-2026-40197 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has a Nil-Pointer Dereference Panic via Bucket Metadata Moderate
CVE-2026-40195 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip) High
CVE-2026-40076 was published for org.openmrs.web:openmrs-web (Maven) May 4, 2026
Arron-bit Credited to Arron-bit
Quarkus has Authentication/Authorization bypasses High
CVE-2026-39852 was published for io.quarkus:quarkus-vertx-http (Maven) May 4, 2026
p- Credited to p-
OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read High
CVE-2026-40075 was published for org.openmrs.web:openmrs-web (Maven) May 4, 2026
Arron-bit Credited to Arron-bit
Incus has Blind SSRF via Image Import Preflight HEAD Moderate
CVE-2026-35527 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
CVE-2026-41358 was published for openclaw (npm) May 4, 2026
AntAISecurityLab Credited to AntAISecurityLab
VM2 Sandbox Breakout Through __lookupGetter__ Critical
CVE-2026-24118 was published for vm2 (npm) May 4, 2026
XmiliaH Credited to XmiliaH
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API High
CVE-2026-42137 was published for getkirby/cms (Composer) Apr 30, 2026
ps_checkout allows unauthorized method invocation through unvalidated parameter Low
GHSA-mqq7-wxx5-mp8h was published for prestashop/ps_checkout (Composer) Apr 30, 2026
Contras Affected by CopyFile Policy Subversion via Symlinks High
GHSA-rh99-wc69-c255 was published for github.com/edgelesssys/contrast (Go) Apr 30, 2026
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets) High
CVE-2026-42461 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 30, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database