GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,665
Maven
5,000+
npm
5,000+
NuGet
931
pip
4,879
Pub
13
RubyGems
1,050
Rust
1,314
Swift
53
Unreviewed advisories
All unreviewed
5,000+
29,761 advisories
Filter by severity
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers
High
CVE-2026-43939
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`
High
CVE-2026-43937
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
High
CVE-2026-43938
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
parse-server: MFA SMS one-time password accepted twice under concurrent login
Low
CVE-2026-43930
was published
for
parse-server
(npm)
May 5, 2026
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
High
CVE-2026-43929
was published
for
ssrfcheck
(npm)
May 5, 2026
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid
High
CVE-2025-8267
was published
for
ssrfcheck
(npm)
May 5, 2026
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured
Moderate
CVE-2026-43901
was published
for
wireshark-mcp
(pip)
May 5, 2026
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover
High
GHSA-mm2q-qcmx-gw4w
was published
for
rustfs
(Rust)
May 5, 2026
Fiber vulnerable to XSS in AutoFormat Content Negotiation
Moderate
CVE-2026-42554
was published
for
github.com/gofiber/fiber/v2
(Go)
May 5, 2026
link-preview-js vulnerable to IPv6 and internal loopback attacks
High
CVE-2026-43897
was published
for
link-preview-js
(npm)
May 5, 2026
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`
Moderate
CVE-2026-42207
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS
High
CVE-2026-42198
was published
for
org.postgresql:postgresql
(Maven)
May 5, 2026
django-s3file is vulnerable to relative path traversal
Critical
CVE-2026-42196
was published
for
django-s3file
(pip)
May 5, 2026
MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint
Moderate
CVE-2026-42600
was published
for
github.com/minio/minio
(Go)
May 5, 2026
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Moderate
CVE-2026-42194
was published
for
admidio/admidio
(Composer)
May 5, 2026
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser
Low
CVE-2026-42188
was published
for
org.geysermc.geyser:core
(Maven)
May 5, 2026
OpenBao's Namespace Deletion May Not Delete Data Properly
Low
CVE-2026-42186
was published
for
github.com/openbao/openbao
(Go)
May 5, 2026
exiftool-vendored vulnerable to argument injection via newline characters in tag names
High
CVE-2026-43893
was published
for
exiftool-vendored
(npm)
May 5, 2026
requests-hardened is Vulnerable to Server-Side Request Forgery
Moderate
CVE-2026-42175
was published
for
requests-hardened
(pip)
May 5, 2026
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
Critical
CVE-2026-42155
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
High
CVE-2026-42154
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
Prometheus Azure AD remote write OAuth client secret exposed via config API
High
CVE-2026-42151
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter
Moderate
CVE-2026-42140
was published
for
org.xwiki.contrib.plantuml:macro-plantuml-macro
(Maven)
May 5, 2026
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository
High
GHSA-fr8x-3vfx-f45h
was published
for
gitoxide
(Rust)
May 5, 2026
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository
High
GHSA-pg4w-g64p-qwhj
was published
for
gitoxide
(Rust)
May 5, 2026
ProTip!
Advisories are also available from the
GraphQL API