Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,595
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,823
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,387 advisories

Loading
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width Moderate
GHSA-rrjr-v56m-ww88 was published for ParquetSharp (NuGet) Apr 24, 2026
adamreeve Credited to adamreeve, CurtHagenlocher, and marcin-krystianc CurtHagenlocher CurtHagenlocher
marcin-krystianc marcin-krystianc
TYPO3 CMS Stores Cleartext Password in User Settings Module High
CVE-2026-6553 was published for typo3/cms-backend (Composer) Apr 24, 2026
mclewing Credited to mclewing, garvinhicking, and ohader garvinhicking garvinhicking
ohader ohader
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync High
CVE-2026-40912 was published for github.com/traefik/traefik (Go) Apr 24, 2026
gouldnicholas Credited to gouldnicholas
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution High
CVE-2026-40068 was published for @anthropic-ai/claude-code (npm) Apr 24, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication High
CVE-2026-35051 was published for github.com/traefik/traefik (Go) Apr 24, 2026
Zwique Credited to Zwique
go-zserio has Unbounded Memory Allocation for All Platforms Critical
GHSA-xhj4-g6w8-2xjw was published for github.com/woven-planet/go-zserio (Go) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
rustls-webpki: Denial of service via panic on malformed CRL BIT STRING High
GHSA-82j2-j2ch-gfr8 was published for rustls-webpki (Rust) Apr 24, 2026
tynus3 Credited to tynus3
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover High
GHSA-4f9j-vr4p-642r was published for @budibase/backend-core (npm) Apr 24, 2026
AyushParkara Credited to AyushParkara
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
LiteLLM has SQL Injection in Proxy API key verification Critical
GHSA-r75f-5x8p-qvmc was published for litellm (pip) Apr 24, 2026
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
GHSA-qc5p-3mg5-9fh8 was published for avo (RubyGems) Apr 24, 2026
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
GHSA-xqmj-j6mv-4862 was published for litellm (pip) Apr 24, 2026
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields Moderate
GHSA-f5c8-m5vw-rmgq was published for almirhodzic/nova-toggle-5 (Composer) Apr 24, 2026
RobertoNegro Credited to RobertoNegro
AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache Moderate
CVE-2026-6550 was published for aws-encryption-sdk (pip) Apr 24, 2026
Grid: Integer Overflow in Grid::expand_rows Leads to Safe-API Undefined Behavior Moderate
GHSA-38c5-483c-4qqp was published for grid (Rust) Apr 24, 2026
ksj1230 Credited to ksj1230
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field Critical
CVE-2026-41328 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field Critical
CVE-2026-41327 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler High
GHSA-f5v4-2wr6-hqmg was published for russh (Rust) Apr 24, 2026
coreyleavitt Credited to coreyleavitt
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions Moderate
GHSA-m2m6-cff5-3w7c was published for rwsdk (npm) Apr 24, 2026
mthx Credited to mthx
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database