Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,990
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,390
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,390 advisories

Loading
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds High
CVE-2026-48110 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input Moderate
CVE-2026-48108 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
Russh: Unchecked keyboard-interactive prompt count in client auth path Moderate
CVE-2026-48107 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction High
CVE-2026-47261 was published for wasmtime-wasi (Rust) Jun 5, 2026
shumbo Credited to shumbo
matrix-sdk-ui: Incomplete edit validation Moderate
CVE-2026-45057 was published for matrix-sdk-ui (Rust) Jun 4, 2026
Matrix Rust SDK: Sender-binding gaps in to-device and room-key attribution Moderate
CVE-2026-45056 was published for matrix-sdk-crypto (Rust) Jun 4, 2026
rattler has an entry-point path traversal in noarch:python install (arbitrary file write) Moderate
CVE-2026-47425 was published for py-rattler (pip) Jun 1, 2026
berkant-koc Credited to berkant-koc
russh server userauth state is not reset when authentication principal changes Moderate
CVE-2026-46705 was published for russh (Rust) May 29, 2026
mjc Credited to mjc
russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets High
CVE-2026-46702 was published for russh (Rust) May 29, 2026
mjc Credited to mjc
uv is vulnerable to arbitrary file write through entry point names Moderate
GHSA-4gg8-gxpx-9rph was published for uv (pip) May 29, 2026
zsol Credited to zsol and zanieb zanieb zanieb
tar has a PAX header desynchronization issue Moderate
GHSA-3pv8-6f4r-ffg2 was published for tar (Rust) May 29, 2026
woodruffw Credited to woodruffw
astral-tokio-tar has a PAX Header Desynchronization issue Moderate
GHSA-3cv2-h65g-fgmm was published for astral-tokio-tar (Rust) May 29, 2026
woodruffw Credited to woodruffw
unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race Moderate
CVE-2026-46690 was published for unbounded-spsc (Rust) May 29, 2026
berkant-koc Credited to berkant-koc
Shamefile has an arbitrary file read via shamefile.yaml in shame next Moderate
CVE-2026-47144 was published for shamefile (npm) May 28, 2026
BKDDFS Credited to BKDDFS
nono: Sandbox escape on Linux via D-Bus: `systemd-run --user` Moderate
CVE-2026-47128 was published for nono-cli (Rust) May 28, 2026
cgwalters Credited to cgwalters and NickCao NickCao NickCao
Deno's TLS retry copies stale upgrade hook, risking plaintext traffic High
CVE-2026-44726 was published for deno (Rust) May 27, 2026
r3wretrhy Credited to r3wretrhy
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Rust OneNote File Parser: Path traversal in `Parser::parse_notebook` allows reading files outside the notebook directory Moderate
CVE-2026-46671 was published for onenote_parser (Rust) May 21, 2026
Russh: Unchecked CryptoVec allocation and growth handling is reachable High
CVE-2026-46673 was published for russh (Rust) May 21, 2026
mjc Credited to mjc
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss High
CVE-2026-46654 was published for p3-challenger (Rust) May 21, 2026
jonathanpwang Credited to jonathanpwang and zlangley zlangley zlangley
nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item High
CVE-2026-46545 was published for nimiq-primitives (Rust) May 21, 2026
Piravlos Credited to Piravlos and Eligioo Eligioo Eligioo
nimiq-blockchain: Genesis batch set request Moderate
CVE-2026-46543 was published for nimiq-blockchain (Rust) May 21, 2026
Piravlos Credited to Piravlos
nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points Moderate
CVE-2026-46542 was published for nimiq-keys (Rust) May 21, 2026
Piravlos Credited to Piravlos and Eligioo Eligioo Eligioo
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database