Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,663
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,878
Pub
13
RubyGems
1,050
Rust
1,314
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,751 advisories

Loading
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured Moderate
CVE-2026-43901 was published for wireshark-mcp (pip) May 5, 2026
bx33661 Credited to bx33661
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover High
GHSA-mm2q-qcmx-gw4w was published for rustfs (Rust) May 5, 2026
kodareef5 Credited to kodareef5
Fiber vulnerable to XSS in AutoFormat Content Negotiation Moderate
CVE-2026-42554 was published for github.com/gofiber/fiber/v2 (Go) May 5, 2026
wodzen Credited to wodzen, gaby, ReneWerner87, and sixcolors gaby gaby
ReneWerner87 ReneWerner87 sixcolors sixcolors
link-preview-js vulnerable to IPv6 and internal loopback attacks High
CVE-2026-43897 was published for link-preview-js (npm) May 5, 2026
Andrew-most-likely Credited to Andrew-most-likely and ospfranco ospfranco ospfranco
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` Moderate
CVE-2026-42207 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS High
CVE-2026-42198 was published for org.postgresql:postgresql (Maven) May 5, 2026
sehrope Credited to sehrope
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint Moderate
CVE-2026-42600 was published for github.com/minio/minio (Go) May 5, 2026
adrian-doyensec Credited to adrian-doyensec and donatello donatello donatello
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
mugi-sec Credited to mugi-sec and onebeastchris onebeastchris onebeastchris
OpenBao's Namespace Deletion May Not Delete Data Properly Low
CVE-2026-42186 was published for github.com/openbao/openbao (Go) May 5, 2026
cipherboy Credited to cipherboy
exiftool-vendored vulnerable to argument injection via newline characters in tag names High
CVE-2026-43893 was published for exiftool-vendored (npm) May 5, 2026
Dobby153 Credited to Dobby153
requests-hardened is Vulnerable to Server-Side Request Forgery Moderate
CVE-2026-42175 was published for requests-hardened (pip) May 5, 2026
hits313 Credited to hits313
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs Critical
CVE-2026-42155 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload High
CVE-2026-42154 was published for github.com/prometheus/prometheus (Go) May 5, 2026
ShadowByte1 Credited to ShadowByte1
Prometheus Azure AD remote write OAuth client secret exposed via config API High
CVE-2026-42151 was published for github.com/prometheus/prometheus (Go) May 5, 2026
brettgervasoni Credited to brettgervasoni
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository High
GHSA-fr8x-3vfx-f45h was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository High
GHSA-pg4w-g64p-qwhj was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data High
GHSA-x494-mj8g-cj27 was published for gix-pack (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules High
GHSA-f26g-jm89-4g65 was published for gix (Rust) May 5, 2026
gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure High
GHSA-p3hw-mv63-rf9w was published for gix (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gix-transport: HTTP credentials leaked to redirected host in curl backend Moderate
GHSA-9857-6mw7-fq2m was published for gix-transport (Rust) May 5, 2026
sammiee5311 Credited to sammiee5311
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal Moderate
CVE-2026-43878 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content Moderate
CVE-2026-43877 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database