GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,273
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,489
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,051 advisories
Filter by severity
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
High
CVE-2026-49471
was published
for
serena-agent
(pip)
Jul 8, 2026
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak
High
CVE-2026-49464
was published
for
nl.nl-portal:taak
(Maven)
Jul 8, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries
Moderate
CVE-2026-49463
was published
for
nl.nl-portal:besluiten
(Maven)
Jul 8, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Moderate
CVE-2026-49455
was published
for
waku
(npm)
Jul 8, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
OneRingBuf has a Use After Free Vulnerability
Moderate
GHSA-q95x-7g78-rccv
was published
for
oneringbuf
(Rust)
Jul 8, 2026
DSpace: Path Traversal is possible through LDN message generation
Moderate
CVE-2026-49833
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace: ORE resource URI does not validate scheme for non-web resources
Moderate
CVE-2026-49830
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path
Moderate
CVE-2026-49831
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN
High
CVE-2026-49832
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Moderate
GHSA-mxwc-wh95-pw4g
was published
for
trapster
(pip)
Jul 8, 2026
Sharp Missing Authorization Check in Quick Creation Command Endpoints
Moderate
CVE-2026-53634
was published
for
code16/sharp
(Composer)
Jul 8, 2026
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE
Critical
CVE-2026-52831
was published
for
github.com/nuclio/nuclio
(Go)
Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling
Moderate
CVE-2026-53600
was published
for
async-tar
(Rust)
Jul 8, 2026
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
High
CVE-2026-50197
was published
for
github.com/zalando/skipper
(Go)
Jul 8, 2026
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
High
CVE-2026-49825
was published
for
lxml_html_clean
(pip)
Jul 8, 2026
Weblate SSRF: outbound URL guard misses some private ranges
Moderate
CVE-2026-50127
was published
for
weblate
(pip)
Jul 7, 2026
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Moderate
CVE-2026-53508
was published
for
github.com/oasdiff/oasdiff
(Go)
Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
Moderate
CVE-2026-53572
was published
for
github.com/kedacore/keda/v2
(Go)
Jul 7, 2026
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion
Moderate
GHSA-f66q-9rf6-8795
was published
for
Flask-Security-Too
(pip)
Jul 7, 2026
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
High
CVE-2026-53553
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Moderate
GHSA-q855-8rh5-jfgq
was published
for
ha-mcp
(pip)
Jul 7, 2026
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Low
GHSA-cwv4-h3j5-w3cf
was published
for
rama
(Rust)
Jul 7, 2026
ProTip!
Advisories are also available from the
GraphQL API