GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
128 advisories
Filter by severity
netfoil has a domain name filter bypass via multiple questions
Moderate
GHSA-59qp-cfj3-rp64
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
High
CVE-2026-49473
was published
for
@cedar-policy/authorization-for-expressjs
(npm)
Jun 30, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host
Moderate
CVE-2026-47076
was published
for
hackney
(Erlang)
Jun 26, 2026
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
High
CVE-2026-48788
was published
for
github.com/umputun/remark42
(Go)
Jun 26, 2026
OctoPrint has possible file exfiltration via query parameters on upload endpoints
High
CVE-2026-54134
was published
for
OctoPrint
(pip)
Jun 23, 2026
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Moderate
CVE-2026-12491
was published
for
vllm
(pip)
Jun 17, 2026
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
Low
CVE-2026-53538
was published
for
python-multipart
(pip)
Jun 15, 2026
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Low
CVE-2026-53537
was published
for
python-multipart
(pip)
Jun 15, 2026
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
Moderate
CVE-2026-53655
was published
for
tar
(npm)
Jun 15, 2026
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
Moderate
CVE-2026-47767
was published
for
symfony/runtime
(Composer)
Jun 9, 2026
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
Moderate
CVE-2026-45066
was published
for
symfony/html-sanitizer
(Composer)
May 27, 2026
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
High
CVE-2026-44974
was published
for
@hapi/content
(npm)
May 27, 2026
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
High
CVE-2026-42462
was published
for
@fedify/fedify
(npm)
May 26, 2026
Next.js vulnerable to cache poisoning in React Server Component responses
Moderate
CVE-2026-44576
was published
for
next
(npm)
May 11, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
High
CVE-2026-6322
was published
for
fast-uri
(npm)
May 8, 2026
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server...
High
Unreviewed
CVE-2026-8034
was published
May 8, 2026
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass
High
CVE-2026-42551
was published
for
flightphp/core
(Composer)
May 6, 2026
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Moderate
CVE-2026-30246
was published
for
github.com/gofiber/fiber/v3
(Go)
Apr 28, 2026
Heimdall has an authorization bypass via path normalization mismatch
High
CVE-2026-42274
was published
for
github.com/dadrus/heimdall
(Go)
Apr 25, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass
High
CVE-2026-42273
was published
for
github.com/dadrus/heimdall
(Go)
Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
High
CVE-2026-42272
was published
for
github.com/dadrus/heimdall
(Go)
Apr 25, 2026
justhtml has sanitization bypass in custom policies and programmatic DOM
Moderate
GHSA-vrx2-77f2-ww34
was published
for
justhtml
(pip)
Apr 22, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
High
CVE-2026-33804
was published
for
@fastify/middie
(npm)
Apr 16, 2026
Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Critical
CVE-2026-41248
was published
for
@clerk/astro
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API