Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,827
Maven
5,000+
npm
4,455
NuGet
775
pip
4,219
Pub
12
RubyGems
970
Rust
1,090
Swift
47
Unreviewed advisories
All unreviewed
5,000+

25,439 advisories

Loading
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Moderate
CVE-2026-22045 was published for github.com/traefik/traefik/v2 (Go) Jan 15, 2026
pavelkohout396
Credited to pavelkohout396
solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets Low
GHSA-rwr8-xrpw-9qf5 was published for solspace/craft-freeform (Composer) Jan 15, 2026
solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data Low
GHSA-44jg-mv3h-wj6g was published for solspace/craft-freeform (Composer) Jan 15, 2026
riekusdn
Credited to riekusdn
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse High
CVE-2026-22775 was published for devalue (npm) Jan 15, 2026
jviide elliott-with-the-longest-name-on-github
Rich-Harris
Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris
Vert.x Web static handler component cache can be manipulated to deny the access to static files Moderate
CVE-2026-1002 was published for io.vertx:vertx-core (Maven) Jan 15, 2026
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication Moderate
CVE-2025-68671 was published for github.com/treeverse/lakefs (Go) Jan 15, 2026
Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode Low
GHSA-w54x-r83c-x79q was published for pepr (npm) Jan 15, 2026
tghastings
Credited to tghastings
svelte vulnerable to Cross-site Scripting Moderate
CVE-2025-15265 was published for svelte (npm) Jan 15, 2026
elliott-with-the-longest-name-on-github Rich-Harris
Credited to elliott-with-the-longest-name-on-github and Rich-Harris
solspace/craft-freeform Has a DoS Vulnerability Low
GHSA-58q2-9x27-h2jm was published for solspace/craft-freeform (Composer) Jan 15, 2026
LeonBatch
Credited to LeonBatch
alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass High
CVE-2026-23622 was published for alextselegidis/easyappointments (Composer) Jan 15, 2026
faroukn
Credited to faroukn
h3 v1 has Request Smuggling (TE.TE) issue High
CVE-2026-23527 was published for h3 (npm) Jan 15, 2026
simonkoeck
Credited to simonkoeck
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE Critical
CVE-2026-23520 was published for github.com/getarcaneapp/arcane/backend (Go) Jan 15, 2026
DenizParlak
Credited to DenizParlak
Umbraco CMS contains a server-side request forgery vulnerability Moderate
CVE-2021-47776 was published for UmbracoCms (NuGet) Jan 15, 2026
Aimeos contains a SQL injection vulnerability in the json api 'sort' parameter High
CVE-2021-47763 was published for aimeos/aimeos-laravel (Composer) Jan 15, 2026
RustCrypto Utilities cmov: `thumbv6m-none-eabi` compiler emits non-constant time assembly when using `cmovnz` High
CVE-2026-23519 was published for cmov (Rust) Jan 15, 2026
NicsTr
Credited to NicsTr
Zitadel has a user enumeration vulnerability in Login UIs Moderate
CVE-2026-23511 was published for github.com/zitadel/zitadel (Go) Jan 15, 2026
IAM-marco livio-a
Credited to IAM-marco and livio-a
Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization Moderate
CVE-2026-23496 was published for pimcore/web2print-tools-bundle (Composer) Jan 15, 2026
ytlamal
Credited to ytlamal
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing Moderate
CVE-2026-23495 was published for pimcore/admin-ui-classic-bundle (Composer) Jan 15, 2026
ytlamal
Credited to ytlamal
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing Moderate
CVE-2026-23494 was published for pimcore/pimcore (Composer) Jan 15, 2026
ytlamal
Credited to ytlamal
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log High
CVE-2026-23493 was published for pimcore/pimcore (Composer) Jan 15, 2026
putzflorian
Credited to putzflorian
@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata) High
CVE-2026-22803 was published for @sveltejs/kit (npm) Jan 15, 2026
hashcoko ottomated
elliott-with-the-longest-name-on-github
Credited to hashcoko, ottomated, and elliott-with-the-longest-name-on-github
Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse High
CVE-2026-22774 was published for devalue (npm) Jan 15, 2026
jviide elliott-with-the-longest-name-on-github
Rich-Harris
Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering High
CVE-2025-67647 was published for @sveltejs/adapter-node (npm) Jan 15, 2026
cold-try teemingc
benmccann d-xuan
Credited to cold-try, teemingc, benmccann, and d-xuan
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface High
CVE-2025-66292 was published for github.com/donknap/dpanel (Go) Jan 15, 2026
pyroxenites
Credited to pyroxenites
Google Keras Allocates Resources Without Limits or Throttling in the HDF5 weight loading component High
CVE-2026-0897 was published for keras (pip) Jan 15, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database