Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,037 advisories

Loading
Defense in Depth update for NuGet Client Low
GHSA-g4vj-cjjj-v7hg was published for NuGet.CommandLine (NuGet) Apr 14, 2026
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses Low
GHSA-hw5x-4r37-72w7 was published for github.com/opentofu/opentofu (Go) Apr 14, 2026
DotNetNuke.Core security code analysis rules triggered Low
GHSA-fcpv-w245-r2q7 was published for DotNetNuke.Core (NuGet) Apr 14, 2026
bdukes Credited to bdukes and valadas valadas valadas
ImageMagick has a memory leak in PNG encoder when writing a MNG image Low
GHSA-x928-4434-crqj was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
ylwango613 Credited to ylwango613
ImageMagick has out-of-bounds access in ConnectedComponentsImage() via CLI-controlled connected-components:* artifacts Low
GHSA-pmpg-6pww-fg6q was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
ylwango613 Credited to ylwango613
ImageMagick has a heap buffer overflow read in magnify operation via unrecognized magnify:method value Low
GHSA-8vfj-q2cp-5m5j was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
e1abrador Credited to e1abrador
ImageMagick has has an off-by-one origin validation in allows out-of-bounds read in morphology processing Low
GHSA-q8h3-jv9v-57qx was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
shitianyu-2004 Credited to shitianyu-2004
ImageMagick has a heap-buffer-overflow in FTXT encoder Low
GHSA-w54j-7wpm-crhj was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
unbengable12 Credited to unbengable12
Microsoft Security Advisory CVE-2026-32178 – .NET Spoofing Vulnerability Low
CVE-2026-32178 was published for Microsoft.NetCore.App.Runtime.linux-arm (NuGet) Apr 14, 2026
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint Low
GHSA-7qx6-f23w-3w7f was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
wooseokdotkim Credited to wooseokdotkim
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page Low
CVE-2026-34454 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 14, 2026
bella-WI Credited to bella-WI and fnoehWM fnoehWM fnoehWM
Multiple security fixes in justhtml Low
GHSA-4p64-v8f5-r2gx was published for justhtml (pip) Apr 14, 2026
EmilStenstrom Credited to EmilStenstrom
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID Low
GHSA-9pm8-vwc5-w2hm was published for fat_free_crm (RubyGems) Apr 14, 2026
bgeesaman Credited to bgeesaman
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler Low
GHSA-3jp4-mhh4-gcgr was published for kimai/kimai (Composer) Apr 14, 2026
morimori-dev Credited to morimori-dev
Rand is unsound with a custom logger using rand::rng() Low
GHSA-cq8v-f236-94qc was published for rand (Rust) Apr 14, 2026
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments Low
CVE-2026-32270 was published for craftcms/commerce (Composer) Apr 14, 2026
tianluov Credited to tianluov
DbGate has cross site scripting via the SVG Icon String Handler component Low
CVE-2026-6216 was published for dbgate-web (npm) Apr 13, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel Low
CVE-2026-40263 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression Low
CVE-2026-6125 was published for org.dromara.warm:warm-flow-plugin-modes-sb (Maven) Apr 12, 2026
MetaGPT affected by server-side request forgery in metagpt/utils/common.py Low
CVE-2026-6111 was published for metagpt (pip) Apr 12, 2026
MetaGPT has an eval injection via a cross-site request forgery attack Low
CVE-2026-6109 was published for metagpt (pip) Apr 12, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database