GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
159 advisories
Filter by severity
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv...
High
Unreviewed
CVE-2026-59261
was published
Jul 8, 2026
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
High
CVE-2026-49825
was published
for
lxml_html_clean
(pip)
Jul 8, 2026
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard...
High
Unreviewed
CVE-2026-14534
was published
Jul 4, 2026
Spatie Laravel Media Library contains a file upload restriction bypass
High
CVE-2026-48557
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security...
Moderate
Unreviewed
CVE-2026-56777
was published
Jul 1, 2026
Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing...
High
Unreviewed
CVE-2025-71355
was published
Jul 1, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
High
CVE-2026-54513
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
picklescan before 1.0.4 fails to block at least seven Python standard library modules (including...
Critical
Unreviewed
CVE-2026-56315
was published
Jun 23, 2026
picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the...
High
Unreviewed
CVE-2025-71351
was published
Jun 21, 2026
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
Low
GHSA-8678-w3jw-xfc2
was published
for
nokogiri
(RubyGems)
Jun 19, 2026
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks
High
GHSA-27pq-2ph8-8x25
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers
Low
CVE-2026-53848
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers
Low
GHSA-wrr6-p5r6-474m
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
Moderate
CVE-2026-53861
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags
Moderate
GHSA-g796-jqmx-wf9q
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Picklescan does not block ctypes
High
CVE-2025-71323
was published
for
picklescan
(pip)
Dec 29, 2025
Duplicate Advisory: Picklescan does not block ctypes
Critical
GHSA-7f79-rvx6-vxc4
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
High
CVE-2026-53875
was published
for
picklescan
(pip)
Feb 18, 2026
PickleScan's profile.run blocklist mismatch allows exec() bypass
Critical
CVE-2026-53873
was published
for
picklescan
(pip)
Mar 3, 2026
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass
Critical
GHSA-4mpj-78p6-rj59
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Picklescan has Incomplete List of Disallowed Inputs
High
CVE-2025-71320
was published
for
picklescan
(pip)
Dec 29, 2025
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs
Critical
GHSA-6v84-v468-3c7f
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API