Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,557
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,805
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,242 advisories

Loading
OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation Low
CVE-2026-40264 was published for github.com/openbao/openbao (Go) Apr 21, 2026
Zwique Credited to Zwique
OpenBao's SQL Injection in PostgreSQL database secrets engine Moderate
CVE-2026-39946 was published for github.com/openbao/openbao (Go) Apr 21, 2026
jmecom Credited to jmecom
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) Low
CVE-2026-39396 was published for github.com/openbao/openbao (Go) Apr 21, 2026
n1rwhex Credited to n1rwhex
OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate Low
CVE-2026-39388 was published for github.com/openbao/openbao (Go) Apr 21, 2026
jmecom Credited to jmecom
Neko has a Self-service Privilege Escalation for Authenticated Users High
CVE-2026-39386 was published for github.com/m1k1o/neko/server (Go) Apr 21, 2026
blitzkrieg-patch Credited to blitzkrieg-patch
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding Moderate
CVE-2026-39378 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths High
CVE-2026-39320 was published for signalk-server (npm) Apr 21, 2026
VashuVats Credited to VashuVats
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, and vdemeester offset offset
vdemeester vdemeester
Auth0 Next.js SDK has Improper Proxy Cache Lookup Moderate
CVE-2026-40155 was published for @auth0/nextjs-auth0 (npm) Apr 21, 2026
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure Moderate
CVE-2026-40098 was published for openmage/magento-lts (Composer) Apr 21, 2026
LoGGGG2402 Credited to LoGGGG2402
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values Moderate
CVE-2026-35588 was published for glances (pip) Apr 21, 2026
morimori-dev Credited to morimori-dev
Glances has SSRF in IP Plugin via public_api leading to credential leakage High
CVE-2026-35587 was published for glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal High
CVE-2026-35570 was published for @gitlawb/openclaude (npm) Apr 21, 2026
Rickidevs Credited to Rickidevs
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading High
CVE-2026-33626 was published for lmdeploy (pip) Apr 21, 2026
stepanskyigor-orca Credited to stepanskyigor-orca
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens High
CVE-2026-33031 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
jaehonam Credited to jaehonam
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Critical
CVE-2026-32604 was published for io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database