Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,583
Maven
5,000+
npm
5,000+
NuGet
920
pip
4,817
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,345 advisories

Loading
Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows Controller High
CVE-2026-40886 was published for github.com/argoproj/argo-workflows/v3 (Go) Apr 23, 2026
thevilledev Credited to thevilledev
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies Moderate
CVE-2026-40182 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
martincostello Credited to martincostello, 1seal, Kielek, and arminru 1seal 1seal
Kielek Kielek arminru arminru
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter Moderate
CVE-2026-40099 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
Apktool: Path Traversal to Arbitrary File Write High
CVE-2026-39973 was published for org.apktool:apktool-lib (Maven) Apr 23, 2026
caveeroo Credited to caveeroo and IgorEisberg IgorEisberg IgorEisberg
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering High
CVE-2026-34587 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers High
CVE-2026-33318 was published for @actual-app/sync-server (npm) Apr 23, 2026
Rex50527 Credited to Rex50527
go-ntlmssp NTLM challenges can panic on malformed payloads Moderate
CVE-2026-32952 was published for github.com/Azure/go-ntlmssp (Go) Apr 23, 2026
Kirby has XML injection in its XML creator toolkit Moderate
CVE-2026-32870 was published for getkirby/cms (Composer) Apr 23, 2026
dapatrese Credited to dapatrese
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege High
CVE-2026-40372 was published for Microsoft.AspNetCore.DataProtection (NuGet) Apr 23, 2026
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed Moderate
CVE-2026-41322 was published for @astrojs/node (npm) Apr 23, 2026
dnlbln Credited to dnlbln, matthewp, and ematipico matthewp matthewp
ematipico ematipico
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests Moderate
CVE-2026-41495 was published for n8n-mcp (npm) Apr 23, 2026
S4nso Credited to S4nso
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
GHSA-rhf7-wvw3-vjvm was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool Critical
GHSA-2wvh-87g2-89hr was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database Critical
GHSA-v529-vhwc-wfc5 was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
GHSA-4jvx-93h3-f45h was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
GHSA-wgx6-g857-jjf7 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle Moderate
CVE-2026-41511 was published for OpenMcdf (NuGet) Apr 22, 2026
pawlos Credited to pawlos
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
GHSA-r466-rxw4-3j9j was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
GHSA-2cjr-5v3h-v2w4 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
GHSA-2hp7-65r3-wv54 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 High
CVE-2026-41676 was published for openssl (Rust) Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database