Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,229 advisories

Loading
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role High
CVE-2026-27803 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager High
CVE-2026-27802 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
Vaultwarden has 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement Moderate
CVE-2026-27801 was published for vaultwarden (Rust) Mar 4, 2026
d-xuan Credited to d-xuan, BlackDex, and dani-garcia BlackDex BlackDex
dani-garcia dani-garcia
AWS-LC has PKCS7_verify Signature Validation Bypass High
GHSA-hfpc-8r3f-gw53 was published for aws-lc-sys (Rust) Mar 3, 2026
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification High
GHSA-65p9-r9h6-22vj was published for aws-lc-fips-sys (Rust) Mar 3, 2026
AWS-LC has PKCS7_verify Certificate Chain Validation Bypass High
GHSA-vw5v-4f2q-w9xf was published for aws-lc-sys (Rust) Mar 3, 2026
aws-kms-tls-auth vulnerable to memory overallocation Low
GHSA-5whh-4q9j-7v28 was published for aws-kms-tls-auth (Rust) Mar 3, 2026
`tracing-check` was removed from crates.io for malicious code Critical
GHSA-5pmp-jpcf-pwx6 was published for tracing-check (Rust) Mar 2, 2026
theshit's Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution High
CVE-2026-21882 was published for theshit (Rust) Mar 2, 2026
AsfhtgkDavid Credited to AsfhtgkDavid
Hive has Double-free and Use After Free Vulnerabilities Moderate
GHSA-j8cj-hw74-64jv was published for hivex (Rust) Feb 28, 2026
uv has ZIP payload obfuscation through parsing differentials Moderate
CVE-2025-13327 was published for uv (Rust) Feb 27, 2026
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga Credited to naoyashiga
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee Credited to nikeee
hexchat crate has a Use After Free vulnerability High
GHSA-x43w-ph7m-pfjx was published for hexchat (Rust) Feb 25, 2026
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance Moderate
CVE-2026-27572 was published for wasmtime (Rust) Feb 24, 2026
alexcrichton Credited to alexcrichton
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion Moderate
CVE-2026-27204 was published for wasmtime (Rust) Feb 24, 2026
mbund Credited to mbund, alexcrichton, and pchickey alexcrichton alexcrichton
pchickey pchickey
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future Moderate
CVE-2026-27195 was published for wasmtime (Rust) Feb 24, 2026
dicej Credited to dicej
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames Moderate
CVE-2026-27480 was published for static-web-server (Rust) Feb 20, 2026
naoyashiga Credited to naoyashiga and joseluisq joseluisq joseluisq
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-27190 was published for deno (Rust) Feb 19, 2026
jackhax Credited to jackhax
PyO3 has type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature High
GHSA-47qc-857f-7w7f was published for pyo3 (Rust) Feb 19, 2026
Unsoundness in opt-in ARMv8 assembly backend for `keccak` Low
GHSA-3288-p39f-rqpv was published for keccak (Rust) Feb 19, 2026
Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass High
CVE-2026-26275 was published for httpsig-hyper (Rust) Feb 17, 2026
divi255 Credited to divi255
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide High
CVE-2026-26267 was published for soroban-sdk-macros (Rust) Feb 17, 2026
leighmcculloch Credited to leighmcculloch, mootz12, nan-zellic, and dmkozh mootz12 mootz12
nan-zellic nan-zellic dmkozh dmkozh
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
rPGP's integrity protection of encrypted data was not always checked Moderate
GHSA-c7ph-f7jm-xv4w was published for pgp (Rust) Feb 13, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database