GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
531 advisories
Filter by severity
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice)
High
CVE-2026-53530
was published
for
ratex-parser
(Rust)
Jul 7, 2026
uutils coreutils: cp/install/mv/ln --suffix alone does not enable backup mode (silent data loss vs GNU)
High
GHSA-fqf6-gxhh-2xhw
was published
for
uucore
(Rust)
Jul 7, 2026
mkfifo: permissions of an existing file are changed after FIFO creation fails
High
CVE-2026-35341
was published
for
uu_mkfifo
(Rust)
Jul 6, 2026
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../)
High
CVE-2026-35338
was published
for
uu_chmod
(Rust)
Jul 6, 2026
jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow
High
CVE-2026-52834
was published
for
jxl-grid
(Rust)
Jul 2, 2026
Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update
High
CVE-2026-52829
was published
for
zebra-network
(Rust)
Jul 2, 2026
Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache
High
CVE-2026-52736
was published
for
zebra-state
(Rust)
Jul 2, 2026
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
High
GHSA-wjjj-24cx-f28g
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects
High
GHSA-q729-696q-g9pq
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation
High
GHSA-4vgr-h27g-cf9p
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
High
GHSA-5qfp-32cf-69jh
was published
for
surrealdb
(Rust)
Jul 1, 2026
Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository
High
CVE-2026-55441
was published
for
mise
(Rust)
Jun 23, 2026
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery
High
GHSA-74p7-6h78-gw8p
was published
for
skillctl
(Rust)
Jun 22, 2026
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
High
GHSA-cc8f-fcx3-gpjr
was published
for
surrealdb
(Rust)
Jun 19, 2026
Deno: Miller-Rabin Primality Test Allows Zero Rounds
High
CVE-2026-49440
was published
for
deno
(Rust)
Jun 16, 2026
Deno: Command Injection via spawnSync & spawn on Windows
High
CVE-2026-49402
was published
for
deno
(Rust)
Jun 16, 2026
PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators
High
GHSA-36hh-v3qg-5jq4
was published
for
pyo3
(Rust)
Jun 12, 2026
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds
High
CVE-2026-48110
was published
for
russh
(Rust)
Jun 11, 2026
Routinator crashes when sending a maliciously crafted select-asn query parameter
High
CVE-2026-49234
was published
for
routinator
(Rust)
Jun 8, 2026
Routinator has cache path traversal when processing the module component of rsync URIs
High
CVE-2026-49233
was published
for
routinator
(Rust)
Jun 8, 2026
Routinator crashes when encountering maliciously crafted RRDP XML files
High
CVE-2026-49235
was published
for
routinator
(Rust)
Jun 8, 2026
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion
High
GHSA-wx3m-whqv-xv47
was published
for
skillctl
(Rust)
Jun 5, 2026
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
High
CVE-2026-47261
was published
for
wasmtime-wasi
(Rust)
Jun 5, 2026
russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets
High
CVE-2026-46702
was published
for
russh
(Rust)
May 29, 2026
Deno's TLS retry copies stale upgrade hook, risking plaintext traffic
High
CVE-2026-44726
was published
for
deno
(Rust)
May 27, 2026
ProTip!
Advisories are also available from the
GraphQL API