Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,951
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

9,045 advisories

Loading
@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse High
CVE-2026-25536 was published for @modelcontextprotocol/sdk (npm) Feb 4, 2026
gh-arpeet ahabian
Credited to gh-arpeet and ahabian
Antrea has invalid enforcement order for network policy rules caused by integer overflow High
CVE-2026-25804 was published for antrea.io/antrea (Go) Feb 6, 2026
antoninbas Dyanngg
Credited to antoninbas and Dyanngg
Blocklist Bypass possible via ECDSA Signature Malleability High
CVE-2026-25793 was published for github.com/slackhq/nebula (Go) Feb 6, 2026
mrtufan
Credited to mrtufan
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
godot-mcp has Command Injection via unsanitized projectPath High
CVE-2026-25546 was published for @coding-solo/godot-mcp (npm) Feb 4, 2026
TianYu-0829 wcole3
Coding-Solo
Credited to TianYu-0829, wcole3, and Coding-Solo
Decidim's private data exports can lead to data leaks High
CVE-2025-65017 was published for decidim (RubyGems) Feb 3, 2026
ahukkanen
Credited to ahukkanen
Below has Incorrect Permission Assignment for Critical Resource High
CVE-2025-27591 was published for below (Rust) Mar 11, 2025
mgerstner
Credited to mgerstner
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0
Credited to xtle0o0
AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection High
CVE-2026-25762 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
ZeroXJacks
Credited to ZeroXJacks
AdonisJS multipart body parsing has Prototype Pollution issue High
CVE-2026-25754 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
RomainLanz
Credited to RomainLanz
Unauthenticated Spree Commerce users can view completed guest orders by Order ID High
CVE-2026-25757 was published for spree_storefront (RubyGems) Feb 5, 2026
p-
Credited to p-
Unauthenticated Spree Commerce users can access all guest addresses High
CVE-2026-25758 was published for spree_api (RubyGems) Feb 5, 2026
p-
Credited to p-
NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write High
CVE-2026-25732 was published for nicegui (pip) Feb 5, 2026
k14uz falkoschindler
evnchn
Credited to k14uz, falkoschindler, and evnchn
Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations High
CVE-2017-18917 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability High
CVE-2026-0775 was published for npm (npm) Jan 23, 2026 withdrawn
Mauripache
Credited to Mauripache
qdrant has arbitrary file write via `/logger` endpoint High
CVE-2026-25628 was published for qdrant (Rust) Feb 5, 2026
Ezzer17
Credited to Ezzer17
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply High
CVE-2026-25593 was published for openclaw (npm) Feb 4, 2026
hackerman70000
Credited to hackerman70000
Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL High
CVE-2026-25640 was published for pydantic-ai (pip) Feb 6, 2026
doredry urioren
amiteliahu
Credited to doredry, urioren, and amiteliahu
Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling High
CVE-2026-25580 was published for pydantic-ai (pip) Feb 6, 2026
YuvalElbar6 doredry
Credited to YuvalElbar6 and doredry
OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module High
CVE-2026-24416 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenCloud Reva has a Public Link Exploit High
CVE-2026-23989 was published for github.com/opencloud-eu/reva/v2 (Go) Feb 5, 2026
rhafer aduffeck
dragotin micbar
Credited to rhafer, aduffeck, dragotin, and micbar
Malicious HTML+XHR Artifact Privilege Escalation in Argo Workflows High
CVE-2022-29164 was published for github.com/argoproj/argo-workflows/v3 (Go) May 23, 2022
alexec
Credited to alexec
Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering High
CVE-2025-13523 was published for github.com/mattermost/mattermost-plugin-confluence (Go) Feb 6, 2026
Gogs vulnerable to Stored XSS via Mermaid diagrams High
GHSA-26gq-grmh-6xm6 was published for gogs.io/gogs (Go) Feb 6, 2026
jdomeracki
Credited to jdomeracki
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values High
GHSA-w67g-2h6v-vjgq was published for phlex (RubyGems) Feb 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database