Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
57
GitHub Actions
50
Go
3,767
Maven
5,000+
npm
5,000+
NuGet
937
pip
4,999
Pub
13
RubyGems
1,058
Rust
1,347
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,281 advisories

Loading
Hono has CSS Declaration Injection via Style Object Values in JSX SSR Moderate
CVE-2026-44458 was published for hono (npm) May 9, 2026
Gayang2902 Credited to Gayang2902
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() Low
CVE-2026-44459 was published for hono (npm) May 9, 2026
AdmirBajric Credited to AdmirBajric
@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module Critical
GHSA-v6wj-c83f-v46x was published for @profullstack/mcp-server (npm) May 9, 2026
232-323 Credited to 232-323
Velocity.js has a Prototype Pollution vulnerability through #set path assignment High
CVE-2026-44966 was published for velocityjs (npm) May 9, 2026
yumarun Credited to yumarun
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth Moderate
CVE-2026-6860 was published for io.vertx:vertx-core (Maven) May 9, 2026
shblue21 Credited to shblue21
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage Moderate
CVE-2026-44457 was published for hono (npm) May 9, 2026
Danny-Devs Credited to Danny-Devs
Mistune Heading ID Attribute has Injection XSS Moderate
CVE-2026-44897 was published for mistune (pip) May 9, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools High
CVE-2026-44895 was published for @yoda.digital/gitlab-mcp-server (npm) May 9, 2026
smallbitvec: Integer overflow in safe API leads to heap buffer overflow High
CVE-2026-44983 was published for smallbitvec (Rust) May 9, 2026
ksj1230 Credited to ksj1230
SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant) Moderate
CVE-2026-44788 was published for SharpCompress (NuGet) May 8, 2026
svenclaesson Credited to svenclaesson
epa4all-client has a VAU Signature bypass High
CVE-2026-44900 was published for com.oviva.telematik:epa4all-client (Maven) May 8, 2026
snomi Credited to snomi and Volcore Volcore Volcore
Mistune has XSS via unescaped figclass/figwidth in Figure directive Moderate
CVE-2026-44896 was published for mistune (pip) May 8, 2026
sergeykochanov Credited to sergeykochanov
Mistune Math Plugin has an XSS Escape Bypass Moderate
CVE-2026-44708 was published for mistune (pip) May 8, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
Snipe-IT has an open redirect vulnerability Moderate
CVE-2026-44833 was published for snipe/snipe-it (Composer) May 8, 2026
CE2Sec Credited to CE2Sec
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath High
GHSA-mv93-w799-cj2w was published for GitPython (pip) May 8, 2026
aslein1413-sys Credited to aslein1413-sys
eml_parser has recursion DoS via nested message/rfc822 attachments Moderate
CVE-2026-44844 was published for eml_parser (pip) May 8, 2026
Sebasteuo Credited to Sebasteuo
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists High
CVE-2026-44843 was published for langchain-core (pip) May 8, 2026
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Phpseclib needs guardrails on large binaryfield integers High
CVE-2023-49316 was published for phpseclib/phpseclib (Composer) May 8, 2026
Snipe-IT has insecure permissions in file uploads Critical
CVE-2026-37709 was published for snipe/snipe-it (Composer) May 8, 2026
0xAspros Credited to 0xAspros
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions Critical
CVE-2026-44330 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers Critical
CVE-2026-44329 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating High
CVE-2026-44328 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler Critical
CVE-2026-44327 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database