Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,621
Maven
5,000+
npm
5,000+
NuGet
927
pip
4,838
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,469 advisories

Loading
Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services High
GHSA-wr32-99hh-6f35 was published for github.com/0xJacky/Nginx-UI (Go) Apr 29, 2026
miffyaa Credited to miffyaa
OpenID Connect nonce generated but never validated — ID token replay attack Moderate
CVE-2026-42206 was published for roadiz/openid (Composer) Apr 29, 2026
athuljayaram Credited to athuljayaram
GoBGP has Remote Denial of Service (Panic) in UpdatePathAttrs4ByteAs via Malformed BGP UPDATE High
CVE-2026-41643 was published for github.com/osrg/gobgp/v4 (Go) Apr 29, 2026
bacon251 Credited to bacon251
GoBGP has Remote Denial of Service (Panic) via Malformed Well-known Path Attribute High
CVE-2026-41642 was published for github.com/osrg/gobgp/v4 (Go) Apr 29, 2026
bacon251 Credited to bacon251
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution High
CVE-2026-41587 was published for ci4-cms-erp/ci4ms (Composer) Apr 29, 2026
dapickle Credited to dapickle
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE Critical
CVE-2026-41586 was published for org.hyperledger.fabric-sdk-java:fabric-sdk-java (Maven) Apr 29, 2026
brodmart Credited to brodmart
CKAN has CSRF exemption primed by anonymous requests Moderate
CVE-2026-41255 was published for ckan (pip) Apr 29, 2026
Shirshaw64p Credited to Shirshaw64p
CKAN has no certificate validation on STMP connection Moderate
CVE-2026-41132 was published for ckan (pip) Apr 29, 2026
francisbergin Credited to francisbergin
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions High
CVE-2026-40902 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader High
CVE-2026-40863 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled High
CVE-2026-34084 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
calligraf0 Credited to calligraf0
OneCollector exporter reads unbounded HTTP response bodies Moderate
CVE-2026-41484 was published for OpenTelemetry.Exporter.OneCollector (NuGet) Apr 29, 2026
martincostello Credited to martincostello and rajkumar-rangaraj rajkumar-rangaraj rajkumar-rangaraj
OpenTelemetry.Resources.Azure has an unbounded HTTP response body read Moderate
CVE-2026-41483 was published for OpenTelemetry.Resources.Azure (NuGet) Apr 29, 2026
martincostello Credited to martincostello and Kielek Kielek Kielek
beets has a Cross-site Scripting vulnerability Moderate
CVE-2026-42052 was published for beets (pip) Apr 29, 2026
FORIMOC Credited to FORIMOC and Yuremin Yuremin Yuremin
OpenTelemetry's Zipkin remote endpoint cache could grow without bounds and increase memory pressure Moderate
CVE-2026-41310 was published for OpenTelemetry.Exporter.Zipkin (NuGet) Apr 28, 2026
Kielek Credited to Kielek, martincostello, and arminru martincostello martincostello
arminru arminru
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer Moderate
CVE-2026-40296 was published for phpoffice/phpspreadsheet (Composer) Apr 28, 2026
Keyvanhardani Credited to Keyvanhardani
CoreDNS has TSIG authentication bypass on gRPC and QUIC transports High
CVE-2026-35579 was published for github.com/coredns/coredns (Go) Apr 28, 2026
wnoelll Credited to wnoelll
PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer Moderate
CVE-2026-35453 was published for phpoffice/phpspreadsheet (Composer) Apr 28, 2026
marduc812 Credited to marduc812
CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC High
CVE-2026-33190 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) High
CVE-2026-33489 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification High
CVE-2026-32936 was published for github.com/coredns/coredns (Go) Apr 28, 2026
thesmartshadow Credited to thesmartshadow
CoreDNS' DoQ worker pool does not bound stream backlog High
CVE-2026-32934 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field Moderate
CVE-2026-32699 was published for facturascripts/facturascripts (Composer) Apr 28, 2026
TurkiOS Credited to TurkiOS
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters Moderate
CVE-2026-30246 was published for github.com/gofiber/fiber/v3 (Go) Apr 28, 2026
xeloxa Credited to xeloxa, gaby, and ReneWerner87 gaby gaby
ReneWerner87 ReneWerner87
OpenClaw: Agent gateway config mutations could change protected operator settings Moderate
GHSA-7jm2-g593-4qrc was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database