GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
60 advisories
Filter by severity
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
LaunchServer FileServerHandler has an unauthenticated path traversal issue
Critical
CVE-2026-54617
was published
for
pro.gravit.launcher:launchserver-api
(Maven)
Jul 2, 2026
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Critical
CVE-2026-55447
was published
for
langflow
(pip)
Jun 19, 2026
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
Critical
GHSA-892r-p3jq-jp24
was published
for
praisonai
(pip)
Jun 18, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Critical
CVE-2026-55450
was published
for
langflow
(pip)
Jun 17, 2026
HAXcms: Private Key Disclosure via Broken HMAC Implementation
Critical
CVE-2026-46395
was published
for
@haxtheweb/haxcms-nodejs
(npm)
May 19, 2026
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Critical
CVE-2026-27886
was published
for
@strapi/strapi
(npm)
May 14, 2026
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
Critical
CVE-2026-45091
was published
for
io.github.davidalmeidac:sealed-env-core
(Maven)
May 12, 2026
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Critical
CVE-2026-42880
was published
for
github.com/argoproj/argo-cd/v3
(Go)
May 7, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Critical
GHSA-9h64-2846-7x7f
was published
for
github.com/getaxonflow/axonflow
(Go)
May 6, 2026
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses
Critical
GHSA-wpqr-6v78-jr5g
was published
for
@google/gemini-cli
(GitHub Actions)
Apr 24, 2026
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
Critical
CVE-2026-41492
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 24, 2026
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
Critical
CVE-2026-40173
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 16, 2026
Pyroscope Exposes Storage Secret
Critical
CVE-2025-41118
was published
for
github.com/grafana/pyroscope
(Go)
Apr 15, 2026
HAPI FHIR HTTP authentication leak in redirects
Critical
CVE-2026-33180
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.convertors
(Maven)
Mar 18, 2026
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
Critical
CVE-2026-32938
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 17, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage
Critical
CVE-2026-30869
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 7, 2026
Rancher doesn't properly sanitize credentials in cluster template answers
Critical
CVE-2021-36783
was published
for
github.com/rancher/rancher
(Go)
Mar 3, 2026
Known affected by Account Takeover via Password Reset Token Leakage
Critical
CVE-2026-26273
was published
for
idno/known
(Composer)
Feb 13, 2026
Argo CD's Project API Token Exposes Repository Credentials
Critical
CVE-2025-55190
was published
for
github.com/argoproj/argo-cd/v2
(Go)
Sep 4, 2025
Valtimo scripting engine can be used to gain access to sensitive data or resources
Critical
CVE-2025-58059
was published
for
com.ritense.valtimo:core
(Maven)
Aug 28, 2025
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
Critical
CVE-2025-53624
was published
for
docusaurus-plugin-content-gists
(npm)
Jul 9, 2025
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
Critical
CVE-2024-34711
was published
for
org.geoserver.main:gs-main
(Maven)
Jun 10, 2025
ProTip!
Advisories are also available from the
GraphQL API