Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

790 advisories

Loading
XWiki's REST APIs can list all pages/spaces, leading to unavailability Moderate
CVE-2026-40104 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 14, 2026
Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic... Moderate Unreviewed
CVE-2026-40395 was published Apr 12, 2026
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS Moderate
CVE-2026-40115 was published for PraisonAI (pip) Apr 10, 2026
Vikunja has File Size Limit Bypass via Vikunja Import Moderate
CVE-2026-35602 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks Moderate
GHSA-ccx3-fw7q-rr2r was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution Moderate
GHSA-h9mw-h4qc-f5jf was published for github.com/platform-mesh/kubernetes-graphql-gateway (Go) Apr 8, 2026
Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation... Moderate Unreviewed
CVE-2026-5762 was published Apr 7, 2026
In Modem, there is a possible system crash due to a logic error. This could lead to remote denial... Moderate Unreviewed
CVE-2026-20431 was published Apr 7, 2026
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers Moderate
CVE-2026-35480 was published for github.com/ipld/go-ipld-prime (Go) Apr 6, 2026
yuliyu123 Credited to yuliyu123
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits Moderate
CVE-2026-35441 was published for directus (npm) Apr 4, 2026
liyander Credited to liyander
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing Moderate
CVE-2026-34755 was published for vllm (pip) Apr 3, 2026
SEORY0 Credited to SEORY0, russellb, jperezdealgaba, DarkLight1337, and Isotr0py russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337 Isotr0py Isotr0py
LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service) Moderate
CVE-2026-34052 was published for jupyterhub-ltiauthenticator (pip) Apr 3, 2026
yueyueL Credited to yueyueL
vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server Moderate
CVE-2026-34756 was published for vllm (pip) Apr 3, 2026
ez-lbz Credited to ez-lbz, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders Moderate
GHSA-m6fx-m8hc-572m was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS Moderate
GHSA-w85g-3h6x-4xh2 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw runs Discord audio preflight transcription before member authorization Moderate
GHSA-hhff-fj5f-qg48 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification Moderate
GHSA-qcc3-jqwp-5vh2 was published for openclaw (npm) Apr 2, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges Moderate
CVE-2026-34826 was published for rack (RubyGems) Apr 2, 2026
orenyomtov Credited to orenyomtov, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
AIOHTTP has a Multipart Header Size Bypass Moderate
CVE-2026-34516 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage Moderate
CVE-2026-22815 was published for aiohttp (pip) Apr 1, 2026
sg3-141-592 Credited to sg3-141-592 and Dreamsorcerer Dreamsorcerer Dreamsorcerer
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades Moderate
GHSA-f44p-c7w9-7xr7 was published for openclaw (npm) Mar 31, 2026
topsec-bunney Credited to topsec-bunney
go-git: Maliciously crafted idx file can cause asymmetric memory consumption Moderate
CVE-2026-34165 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
Incus vulnerable to denial of source through crafted bucket backup file Moderate
CVE-2026-33743 was published for github.com/lxc/incus (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service Moderate
CVE-2026-33541 was published for miraheze/ts-portal (Composer) Mar 27, 2026
Universal-Omega Credited to Universal-Omega
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database