Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
2,817
Erlang
23
GitHub Actions
38
Go
2,199
Maven
2,576
npm
2,807
NuGet
486
pip
2,654
Pub
5
RubyGems
325
Rust
872
Swift
19
Unreviewed advisories
All unreviewed
5,000+

14,654 advisories

Loading
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading High
CVE-2026-41640 was published for @nocobase/database (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call High
CVE-2026-41641 was published for @nocobase/plugin-collection-sql (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters Moderate
CVE-2026-41650 was published for fast-xml-parser (npm) Apr 22, 2026
TharVid Credited to TharVid
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions Moderate
CVE-2026-41645 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
gnuletik Credited to gnuletik
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping Moderate
CVE-2026-41591 was published for @marko/runtime-tags (npm) Apr 22, 2026
k0w4lzk1 Credited to k0w4lzk1
free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer Moderate
CVE-2026-41136 was published for github.com/free5gc/amf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service High
CVE-2026-41135 was published for github.com/free5gc/pcf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks High
CVE-2026-40937 was published for rustfs (Rust) Apr 22, 2026
kodareef5 Credited to kodareef5
nimiq-blockchain: Peer-triggerable panic during history sync Moderate
CVE-2026-34066 was published for nimiq-blockchain (Rust) Apr 22, 2026
1seal Credited to 1seal and ii-cruz ii-cruz ii-cruz
nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge Moderate
CVE-2026-34068 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch Low
CVE-2026-34067 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals High
CVE-2026-34065 was published for nimiq-primitives (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-account: Vesting insufficient funds error can panic Moderate
CVE-2026-34064 was published for nimiq-account (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation Critical
CVE-2026-33471 was published for nimiq-block (Rust) Apr 22, 2026
1seal Credited to 1seal
DDEV has ZipSlip path traversal in tar and zip archive extraction Moderate
CVE-2026-32885 was published for github.com/ddev/ddev (Go) Apr 22, 2026
SnailSploit Credited to SnailSploit
Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode Moderate
CVE-2026-25996 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
suidpit Credited to suidpit, ndaprela, eiffel-fl, and flyth ndaprela ndaprela
eiffel-fl eiffel-fl flyth flyth
Inspektor Gadget: Command Injection via malicious buildOptions manipulation Moderate
CVE-2026-24905 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
ndaprela Credited to ndaprela, suidpit, and eiffel-fl suidpit suidpit
eiffel-fl eiffel-fl
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite High
GHSA-8847-338w-5hcj was published for i18next-fs-backend (npm) Apr 22, 2026
i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes Moderate
GHSA-6457-mxpq-4fqq was published for i18nextify (npm) Apr 22, 2026
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns Moderate
GHSA-q89c-q3h5-w34g was published for i18next-http-backend (npm) Apr 22, 2026
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters High
GHSA-5fgg-jcpf-8jjw was published for i18next-http-middleware (npm) Apr 22, 2026
Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API High
CVE-2026-41422 was published for github.com/daptin/daptin (Go) Apr 22, 2026
VashuVats Credited to VashuVats
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database