Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
2,818
Erlang
23
GitHub Actions
38
Go
2,203
Maven
2,576
npm
2,819
NuGet
487
pip
2,656
Pub
5
RubyGems
328
Rust
877
Swift
19
Unreviewed advisories
All unreviewed
5,000+

51,789 advisories

Loading
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
GHSA-wgx6-g857-jjf7 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
GHSA-r466-rxw4-3j9j was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability... High Unreviewed
CVE-2026-34414 was published Apr 22, 2026
Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7... High Unreviewed
CVE-2026-26354 was published Apr 22, 2026
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in... High Unreviewed
CVE-2026-34413 was published Apr 22, 2026
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API... High Unreviewed
CVE-2026-3643 was published Apr 22, 2026
The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... High Unreviewed
CVE-2026-5694 was published Apr 22, 2026
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up... High Unreviewed
CVE-2026-5617 was published Apr 22, 2026
The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable... High Unreviewed
CVE-2026-2834 was published Apr 22, 2026
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 High
CVE-2026-41676 was published for openssl (Rust) Apr 22, 2026
rust-openssl has incorrect bounds assertion in aes key wrap High
CVE-2026-41678 was published for openssl (Rust) Apr 22, 2026
rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check High
CVE-2026-41681 was published for openssl (Rust) Apr 22, 2026
rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer High
GHSA-hppc-g8h3-xhp3 was published for openssl (Rust) Apr 22, 2026
SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) High
GHSA-hjh7-r5w8-5872 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 22, 2026
MCPHub has Path Traversal via Malicious MCPB Manifest Name High
GHSA-p3h2-2j4p-p83g was published for @samanhappy/mcphub (npm) Apr 22, 2026
keyblues Credited to keyblues
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
GHSA-w937-fg2h-xhq2 was published for locize (npm) Apr 22, 2026
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
xmldom: Uncontrolled recursion in XML serialization leads to DoS High
CVE-2026-41673 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022, praveen-kv, and KarimTantawey praveen-kv praveen-kv
KarimTantawey KarimTantawey
xmldom has XML injection through unvalidated DocumentType serialization High
CVE-2026-41674 was published for @xmldom/xmldom (npm) Apr 22, 2026
TharVid Credited to TharVid
xmldom has XML node injection through unvalidated processing instruction serialization High
CVE-2026-41675 was published for @xmldom/xmldom (npm) Apr 22, 2026
tlsbollei Credited to tlsbollei and TharVid TharVid TharVid
xmldom has XML node injection through unvalidated comment serialization High
CVE-2026-41672 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022 and TharVid TharVid TharVid
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading High
CVE-2026-41640 was published for @nocobase/database (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call High
CVE-2026-41641 was published for @nocobase/plugin-collection-sql (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service High
CVE-2026-41135 was published for github.com/free5gc/pcf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database