Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,652
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,672 advisories

Loading
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 High
CVE-2026-42043 was published for axios (npm) May 5, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` Moderate
CVE-2026-42044 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking High
CVE-2026-42264 was published for axios (npm) May 5, 2026
bulmax9797-sketch Credited to bulmax9797-sketch
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams Low
CVE-2026-42040 was published for axios (npm) May 5, 2026
August829 Credited to August829
ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key Moderate
GHSA-8pqq-224h-x875 was published for ogham-mcp (pip) May 5, 2026
sequoia-git has broken hard revocation handling Low
GHSA-g27r-r6ph-vf5r was published for sequoia-git (Rust) May 4, 2026
webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments High
GHSA-fc86-6rv6-2jpm was published for webonyx/graphql-php (Composer) May 4, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and BZHunt BZHunt BZHunt
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler High
GHSA-gxxh-8vcj-w2mh was published for mckenziearts/livewire-markdown-editor (Composer) May 4, 2026
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) High
CVE-2026-42313 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) Moderate
CVE-2026-42312 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication Moderate
CVE-2026-42256 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
net-imap has quadratic complexity when reading response literals Low
CVE-2026-42245 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
`mysten-metrics` was removed from crates.io for malicious code Critical
GHSA-g38r-8gmr-ghrf was published for mysten-metrics (Rust) May 4, 2026
`sui-execution-cut` was removed from crates.io for malicious code Critical
GHSA-qprh-m6p3-hwxc was published for sui-execution-cut (Rust) May 4, 2026
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView Critical
CVE-2026-42601 was published for archivebox (pip) May 4, 2026
q1uf3ng Credited to q1uf3ng
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery Moderate
CVE-2026-42576 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
brianaydemir Credited to brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson jhiemstrawisc jhiemstrawisc
matyasselmeci matyasselmeci williamnswanson williamnswanson
phpVMS has an /importer authorization bypass causing full database wipe Critical
CVE-2026-42569 was published for nabeel/phpvms (Composer) May 4, 2026
peter-bosch Credited to peter-bosch
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field High
GHSA-q4ph-8x8g-95f8 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database