Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,990
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,390
Swift
56
Unreviewed advisories
All unreviewed
5,000+

11,152 advisories

Loading
MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input High
CVE-2026-48109 was published for MessagePack (NuGet) Jun 11, 2026
AArnott Credited to AArnott
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds High
CVE-2026-48110 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance High
CVE-2026-11401 was published for github.com/aws/aws-advanced-go-wrapper/auth-helpers (Go) Jun 11, 2026
WsgiDAV encoded dot segments can escape filesystem share roots High
CVE-2026-48099 was published for wsgidav (pip) Jun 11, 2026
0xHunSec Credited to 0xHunSec
DevGuard has improper authorization on public assets High
CVE-2026-48089 was published for github.com/l3montree-dev/devguard (Go) Jun 11, 2026
philipflohr Credited to philipflohr
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion High
CVE-2026-48059 was published for io.netty:netty-codec-haproxy (Maven) Jun 11, 2026
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS High
CVE-2026-48050 was published for github.com/basekick-labs/arc (Go) Jun 11, 2026
NeuroWinter Credited to NeuroWinter
@grpc/grpc-js: A malformed request can cause a server crash High
CVE-2026-48068 was published for @grpc/grpc-js (npm) Jun 11, 2026
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash High
CVE-2026-48069 was published for @grpc/grpc-js (npm) Jun 11, 2026
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri High
CVE-2026-48054 was published for @openzeppelin/wizard (npm) Jun 11, 2026
232-323 Credited to 232-323 and knm6777 knm6777 knm6777
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization High
CVE-2026-48020 was published for github.com/traefik/traefik/v2 (Go) Jun 11, 2026
H4ck2 Credited to H4ck2
Element Call reports full URLs of visited pages to analytics server High
CVE-2026-48007 was published for @element-hq/element-call-embedded (npm) Jun 11, 2026
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator High
CVE-2026-48006 was published for io.netty:netty-codec-redis (Maven) Jun 11, 2026
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
PDM wheel installation leads to Path Traversal via overridden write_to_fs High
CVE-2026-47764 was published for pdm (pip) Jun 10, 2026
Litestar has HTML Injection Through its CSRF Token High
CVE-2026-48060 was published for litestar (pip) Jun 10, 2026
Blinky-Keys Credited to Blinky-Keys
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion High
CVE-2026-47253 was published for github.com/julien040/anyquery (Go) Jun 10, 2026
232-323 Credited to 232-323
Acknowledgement extension out of memory High
CVE-2025-53114 was published for org.cometd.java:cometd-java-server-common (Maven) Jun 10, 2026
cosimo Credited to cosimo
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents High
CVE-2026-49396 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
sondt99 Credited to sondt99
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts High
CVE-2026-48036 was published for @hulumi/drift (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened High
CVE-2026-48035 was published for @hulumi/baseline (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name High
CVE-2026-48033 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database