Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,882
Maven
5,000+
npm
4,519
NuGet
784
pip
4,260
Pub
12
RubyGems
975
Rust
1,105
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,671 advisories

Loading
deepHas vulnerable to Prototype Pollution via constructor.prototype Critical
CVE-2026-25047 was published for deephas (npm) Jan 29, 2026
kevgeoleo vdata1
Credited to kevgeoleo and vdata1
malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction Moderate
CVE-2026-24846 was published for github.com/chainguard-dev/malcontent (Go) Jan 29, 2026
1seal egibs
antitree stevebeattie eslerm
Credited to 1seal, egibs, antitree, stevebeattie, and eslerm
malcontent OCI image pull credential exfiltration via malicious registry token realm Moderate
CVE-2026-24845 was published for github.com/chainguard-dev/malcontent (Go) Jan 29, 2026
1seal egibs
antitree stevebeattie eslerm
Credited to 1seal, egibs, antitree, stevebeattie, and eslerm
Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure) Critical
GHSA-vg9h-jx4v-cwx2 was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team
Credited to mobasi-team
Unfurl's unbounded zlib decompression allows decompression bomb DoS Moderate
GHSA-h5qv-qjv4-pc5m was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team
Credited to mobasi-team
Juju has broken CMR authorization Low
CVE-2026-1237 was published for github.com/juju/juju (Go) Jan 29, 2026
Maker.js has Unsafe Property Copying in makerjs.extendObject Moderate
CVE-2026-24888 was published for makerjs (npm) Jan 29, 2026
hayageek
Credited to hayageek
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE Critical
GHSA-c4jr-5q7w-f6r9 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 29, 2026
thxtech
Credited to thxtech
AutoGPT is Vulnerable to RCE via Disabled Block Execution High
CVE-2026-24780 was published for agpt (pip) Jan 29, 2026
rahulgovind
Credited to rahulgovind
React Server Components have multiple Denial of Service Vulnerabilities High
CVE-2026-23864 was published for react-server-dom-parcel (npm) Jan 29, 2026
mufeedvh Ry0taK
jviide marckwei
Credited to mufeedvh, Ry0taK, jviide, and marckwei
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal High
GHSA-f72r-2h5j-7639 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 28, 2026
EaEa0001
Credited to EaEa0001
soroban-sdk has overflow in Bytes::slice, Vec::slice, GenRange::gen_range for u64 Moderate
CVE-2026-24889 was published for soroban-sdk (Rust) Jan 28, 2026
leighmcculloch jayz22
dmkozh kanwalpreetd
Credited to leighmcculloch, jayz22, dmkozh, and kanwalpreetd
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS Moderate
CVE-2026-24766 was published for nocodb (npm) Jan 28, 2026
cp-57
Credited to cp-57
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality Moderate
CVE-2026-24767 was published for nocodb (npm) Jan 28, 2026
kolega-ai-dev
Credited to kolega-ai-dev
NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter Moderate
CVE-2026-24768 was published for nocodb (npm) Jan 28, 2026
p-
Credited to p-
NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload High
CVE-2026-24769 was published for nocodb (npm) Jan 28, 2026
p-
Credited to p-
DotNetNuke.Core Vulnerable to Stored XSS via Module Title Critical
CVE-2026-24838 was published for DotNetNuke.Core (NuGet) Jan 28, 2026
bdukes
Credited to bdukes
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows Moderate
CVE-2026-24739 was published for symfony/process (Composer) Jan 28, 2026
Seldaek nicolas-grekas
Credited to Seldaek and nicolas-grekas
EGroupware has SQL Injection in Nextmatch Filter Processing High
CVE-2026-22243 was published for egroupware/egroupware (Composer) Jan 28, 2026
lukasz-rybak
Credited to lukasz-rybak
BrowserStack Local vulnerable to Command Injection through logfile variable Moderate
CVE-2025-57283 was published for browserstack-local (npm) Jan 28, 2026
ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices Moderate
CVE-2026-24850 was published for ml-dsa (Rust) Jan 28, 2026
orenyomtov
Credited to orenyomtov
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal High
CVE-2026-24842 was published for tar (npm) Jan 28, 2026
mistersiddd
Credited to mistersiddd
DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal High
CVE-2026-24837 was published for DotNetNuke.Core (NuGet) Jan 28, 2026
mojav3r bdukes
Credited to mojav3r and bdukes
DotNetNuke.Core Vulnerable to Stored XSS in Scheduler LogNotes High
CVE-2026-24836 was published for DotNetNuke.Core (NuGet) Jan 28, 2026
mojav3r bdukes
Credited to mojav3r and bdukes
Clatter has a PSK Validity Rule Violation issue High
CVE-2026-24785 was published for clatter (Rust) Jan 28, 2026
twisteroidambassador
Credited to twisteroidambassador
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database