GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
122 advisories
Filter by severity
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
High
CVE-2026-49825
was published
for
lxml_html_clean
(pip)
Jul 8, 2026
Spatie Laravel Media Library contains a file upload restriction bypass
High
CVE-2026-48557
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
High
CVE-2026-54513
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
Low
GHSA-8678-w3jw-xfc2
was published
for
nokogiri
(RubyGems)
Jun 19, 2026
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks
High
GHSA-27pq-2ph8-8x25
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers
Low
CVE-2026-53848
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers
Low
GHSA-wrr6-p5r6-474m
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
Moderate
CVE-2026-53861
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags
Moderate
GHSA-g796-jqmx-wf9q
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Picklescan does not block ctypes
High
CVE-2025-71323
was published
for
picklescan
(pip)
Dec 29, 2025
Duplicate Advisory: Picklescan does not block ctypes
Critical
GHSA-7f79-rvx6-vxc4
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
High
CVE-2026-53875
was published
for
picklescan
(pip)
Feb 18, 2026
PickleScan's profile.run blocklist mismatch allows exec() bypass
Critical
CVE-2026-53873
was published
for
picklescan
(pip)
Mar 3, 2026
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass
Critical
GHSA-4mpj-78p6-rj59
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Picklescan has Incomplete List of Disallowed Inputs
High
CVE-2025-71320
was published
for
picklescan
(pip)
Dec 29, 2025
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs
Critical
GHSA-6v84-v468-3c7f
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
npm PraisonAI codeMode sandbox escape via Function constructor
Critical
GHSA-vmmj-pfw7-fjwp
was published
for
praisonai
(npm)
Jun 18, 2026
OpenClaw: Shell inline-command parsing could miss an allowlist check
High
CVE-2026-53866
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Host environment sanitizer missed two Node.js control variables
High
CVE-2026-53864
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables
High
GHSA-vr6h-vxqj-3pjx
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Low
GHSA-8rfp-98v4-mmr6
was published
for
bleach
(pip)
Jun 16, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API