GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
95 advisories
Filter by severity
Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob...
High
Unreviewed
CVE-2026-59094
was published
Jul 2, 2026
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields
High
CVE-2026-49250
was published
for
@conform-to/dom
(npm)
Jul 2, 2026
fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the -...
Moderate
Unreviewed
CVE-2026-53433
was published
Jun 30, 2026
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Jun 26, 2026
MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
Moderate
CVE-2026-48516
was published
for
MessagePack
(NuGet)
Jun 25, 2026
MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
Moderate
CVE-2026-48511
was published
for
MessagePack
(NuGet)
Jun 25, 2026
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
High
CVE-2026-48502
was published
for
MessagePack
(NuGet)
Jun 25, 2026
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
Moderate
CVE-2026-55206
was published
for
py7zr
(pip)
Jun 19, 2026
parse-server: Denial of service via exponential-time processing of deeply nested query operators
High
GHSA-cgxm-vr2f-6fj8
was published
for
parse-server
(npm)
Jun 19, 2026
pypdf: Inefficient decoding of FlateDecode PNG predictor streams
Moderate
CVE-2026-49460
was published
for
pypdf
(pip)
Jun 16, 2026
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
Moderate
CVE-2026-48988
was published
for
markdown-it
(npm)
Jun 15, 2026
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
High
CVE-2026-53539
was published
for
python-multipart
(pip)
Jun 15, 2026
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
Moderate
CVE-2026-53550
was published
for
js-yaml
(npm)
Jun 15, 2026
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are...
High
Unreviewed
CVE-2026-41850
was published
Jun 9, 2026
Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL...
High
Unreviewed
CVE-2026-8889
was published
Jun 3, 2026
unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode...
Moderate
Unreviewed
CVE-2026-3276
was published
Jun 3, 2026
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume...
High
Unreviewed
CVE-2026-42504
was published
Jun 3, 2026
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop...
High
Unreviewed
CVE-2026-48959
was published
May 27, 2026
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies...
Moderate
Unreviewed
CVE-2026-44390
was published
May 20, 2026
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator...
Moderate
Unreviewed
CVE-2026-42923
was published
May 20, 2026
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service...
Moderate
Unreviewed
CVE-2026-41292
was published
May 20, 2026
ImageMagick: Policy Bypass in MNG coder could
Moderate
CVE-2026-45664
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
May 18, 2026
Absinthe: Quadratic fragment-name uniqueness check
High
CVE-2026-43967
was published
for
absinthe
(Erlang)
May 14, 2026
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows...
Low
Unreviewed
CVE-2026-45186
was published
May 10, 2026
justhtml introduces denial-of-service hardening
Low
GHSA-r8cj-3554-33mr
was published
for
justhtml
(pip)
May 8, 2026
ProTip!
Advisories are also available from the
GraphQL API