GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,275
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,104
Rust
1,489
Swift
61
Unreviewed advisories
All unreviewed
5,000+
18 advisories
Filter by severity
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
Moderate
CVE-2026-53624
was published
for
github.com/gofiber/fiber
(Go)
Jul 6, 2026
CefSharp.Common: `FolderSchemeHandlerFactory` path boundary check can expose files outside the configured root folder
Moderate
CVE-2026-48796
was published
for
CefSharp.Common
(NuGet)
Jun 30, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Moderate
GHSA-ww5p-j6cj-6mqq
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing
Moderate
CVE-2026-53520
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
Moderate
GHSA-6x2m-p4xp-wg22
was published
for
network-ai
(npm)
Jun 19, 2026
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
Moderate
GHSA-jvcm-f35g-w78p
was published
for
network-ai
(npm)
Jun 19, 2026
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
Moderate
CVE-2026-12565
was published
for
bbot
(pip)
Jun 18, 2026
pypdf: Missing stream length values ignore defined limits
Moderate
GHSA-jm82-fx9c-mx94
was published
for
pypdf
(pip)
Jun 18, 2026
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint
Moderate
GHSA-35w5-pcw4-jx94
was published
for
praisonaiagents
(pip)
Jun 18, 2026
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Moderate
CVE-2026-48125
was published
for
ua-parser-js
(npm)
Jun 15, 2026
protobufjs: Memory amplification from preserved unknown fields in binary decode
Moderate
CVE-2026-54270
was published
for
protobufjs
(npm)
Jun 15, 2026
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
Moderate
GHSA-268h-hp4c-crq3
was published
for
nodemailer
(npm)
Jun 15, 2026
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
Moderate
GHSA-wqvq-jvpq-h66f
was published
for
nodemailer
(npm)
Jun 15, 2026
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
Moderate
CVE-2026-48156
was published
for
pypdf
(pip)
Jun 12, 2026
pypdf: Possible large memory usage for large offsets for layout mode text
Moderate
CVE-2026-48155
was published
for
pypdf
(pip)
Jun 12, 2026
Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets
Moderate
CVE-2026-47671
was published
for
github.com/nhost/nhost
(Go)
Jun 4, 2026
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
Moderate
CVE-2026-47268
was published
for
github.com/naiba/nezha
(Go)
May 29, 2026
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Moderate
CVE-2026-47124
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
ProTip!
Advisories are also available from the
GraphQL API