Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,971
Maven
5,000+
npm
4,616
NuGet
788
pip
4,316
Pub
12
RubyGems
984
Rust
1,126
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,784 advisories

Loading
NeuVector scanner insecurely handles passwords as command arguments Low
CVE-2025-67860 was published for github.com/neuvector/scanner (Go) Feb 12, 2026
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie ljharb
Credited to SharokhAtaie and ljharb
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages Low
CVE-2026-26013 was published for langchain-core (pip) Feb 11, 2026
Finder16
Credited to Finder16
Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations Low
GHSA-58qw-p7qm-5rvh was published for org.eclipse.jetty:jetty-xml (Maven) Jul 10, 2023
uriyay-jfrog joakime
chadlwilson timtebeek
Credited to uriyay-jfrog, joakime, chadlwilson, and timtebeek
mnl has segmentation fault and invalid memory read in `mnl::cb_run` Low
GHSA-585q-cm62-757j was published for mnl (Rust) Jan 9, 2026
Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability Low
CVE-2026-23901 was published for org.apache.shiro:shiro-core (Maven) Feb 10, 2026
Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue Low
GHSA-jp3q-wwp3-pwv9 was published for solspace/craft-freeform (Composer) Jan 22, 2026
Prav33N-Sec kjmartens
Credited to Prav33N-Sec and kjmartens
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes Low
CVE-2025-13881 was published for org.keycloak:keycloak-services (Maven) Feb 2, 2026
Bitcoinrb Vulnerable to Command injection via RPC Low
GHSA-q66h-m87m-j2q6 was published for bitcoinrb (RubyGems) Feb 10, 2026
Craft CMS Vulnerable to Stored XSS in Entry Types Name Low
CVE-2026-25491 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Open Chinese Convert has Out-of-bounds Write Low
CVE-2025-15536 was published for opencc (npm) Jan 18, 2026
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal
Credited to 1seal
Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager Low
CVE-2026-22254 was published for winter/wn-cms-module (Composer) Feb 4, 2026
iamunixtz
Credited to iamunixtz
undici Denial of Service attack via bad certificate data Low
CVE-2025-47279 was published for undici (npm) May 15, 2025
styfle mcollina
Credited to styfle and mcollina
Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log Low
CVE-2026-1337 was published for org.neo4j:neo4j (Maven) Feb 6, 2026
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior Low
CVE-2025-68458 was published for webpack (npm) Feb 5, 2026
HanJeouk alexander-akait
Credited to HanJeouk and alexander-akait
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence Low
CVE-2025-68157 was published for webpack (npm) Feb 5, 2026
HanJeouk alexander-akait
Credited to HanJeouk and alexander-akait
MineAdmin May Expose Sensitive Information to an Unauthorized Actor Low
CVE-2026-1196 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
MineAdmin has Incorrect Privilege Assignment Low
CVE-2026-1193 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
Microweber Cross-site Scripting vulnerability Low
CVE-2025-70792 was published for microweber/microweber (Composer) Feb 5, 2026
Microweber has a Cross-site Scripting vulnerability Low
CVE-2025-70791 was published for microweber/microweber (Composer) Feb 5, 2026
MineAdmin improperly refreshes tokens Low
CVE-2026-1195 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
git2 has potential undefined behavior when dereferencing Buf struct Low
GHSA-j39j-6gw9-jw6h was published for git2 (Rust) Feb 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database