Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,831
Maven
5,000+
npm
4,462
NuGet
775
pip
4,226
Pub
12
RubyGems
972
Rust
1,093
Swift
47
Unreviewed advisories
All unreviewed
5,000+

25,464 advisories

Loading
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization High
CVE-2026-23745 was published for tar (npm) Jan 16, 2026
Jvr2022
Credited to Jvr2022
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1
Credited to c2an1
GraphQL Modules has a Race Condition issue High
CVE-2026-23735 was published for graphql-modules (npm) Jan 16, 2026
DuckThom enisdenjo
ardatan
Credited to DuckThom, enisdenjo, and ardatan
Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM Moderate
GHSA-38cw-85xc-xr9x was published for @veramo/data-store (npm) Jan 16, 2026
rekter0
Credited to rekter0
Skipper is vulnerable to arbitrary code execution through lua filters High
CVE-2026-23742 was published for github.com/zalando/skipper (Go) Jan 16, 2026
b0b0haha
Credited to b0b0haha
svelte is vulnerable to XSS with textarea bind:value High
GHSA-gw32-9rmw-qwww was published for svelte (npm) Jan 16, 2026
coyotte508 Conduitry
benmccann
Credited to coyotte508, Conduitry, and benmccann
CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting Moderate
CVE-2026-23643 was published for cakephp/cakephp (Composer) Jan 16, 2026
markstory
Credited to markstory
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
GHSA-5882-5rx9-xgxp was published for Crawl4AI (pip) Jan 16, 2026
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs High
GHSA-vx9w-5cx4-9796 was published for crawl4ai (pip) Jan 16, 2026
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload Moderate
CVE-2026-23645 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 16, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Active Job - Object injection security vulnerability Moderate
GHSA-mpwp-4h2m-765c was published for activejob (RubyGems) Jan 16, 2026
ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection High
GHSA-5qw5-wf2q-f538 was published for activerecord-jdbc-adapter (RubyGems) Jan 16, 2026
pyasn1 has a DoS vulnerability in decoder High
CVE-2026-23490 was published for pyasn1 (pip) Jan 16, 2026
tsigouris007
Credited to tsigouris007
Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command High
CVE-2026-23535 was published for wlc (pip) Jan 16, 2026
Zee99y nijel
Credited to Zee99y and nijel
Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard Moderate
CVE-2026-23528 was published for distributed (pip) Jan 16, 2026
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass High
CVE-2026-22864 was published for deno (Rust) Jan 16, 2026
SharokhAtaie
Credited to SharokhAtaie
Deno node:crypto doesn't finalize cipher Critical
CVE-2026-22863 was published for deno (Rust) Jan 16, 2026
davidebombelli vdata1
reallyTG
Credited to davidebombelli, vdata1, and reallyTG
RustFS's RPC signature verification logs shared secret Low
CVE-2026-22782 was published for rustfs (Rust) Jan 16, 2026
rand-tech
Credited to rand-tech
Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-15104 was published for nu.validator:validator (Maven) Jan 16, 2026
augustocesarperin
Credited to augustocesarperin
Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated High
CVE-2025-68438 was published for apache-airflow (pip) Jan 16, 2026
Apache Airflow proxy credentials for various providers might leak in task logs High
CVE-2025-68675 was published for apache-airflow (pip) Jan 16, 2026
Mattermost is vulnerable to DoS due to infinite re-renders on API errors Moderate
CVE-2025-14435 was published for github.com/mattermost/mattermost-server (Go) Jan 16, 2026
Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Low
CVE-2025-14822 was published for github.com/mattermost/mattermost-server (Go) Jan 16, 2026
PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams Low
CVE-2026-0858 was published for net.sourceforge.plantuml:plantuml (Maven) Jan 16, 2026
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Moderate
CVE-2026-22045 was published for github.com/traefik/traefik/v2 (Go) Jan 15, 2026
pavelkohout396
Credited to pavelkohout396
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database