Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
2,891
Erlang
24
GitHub Actions
39
Go
2,240
Maven
2,698
npm
2,899
NuGet
500
pip
2,728
Pub
5
RubyGems
364
Rust
889
Swift
19
Unreviewed advisories
All unreviewed
5,000+

15,098 advisories

Loading
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
GHSA-4jvx-93h3-f45h was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
GHSA-wgx6-g857-jjf7 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle Moderate
CVE-2026-41511 was published for OpenMcdf (NuGet) Apr 22, 2026
pawlos Credited to pawlos
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
GHSA-r466-rxw4-3j9j was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
GHSA-2cjr-5v3h-v2w4 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
GHSA-2hp7-65r3-wv54 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 High
CVE-2026-41676 was published for openssl (Rust) Apr 22, 2026
rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length Low
CVE-2026-41677 was published for openssl (Rust) Apr 22, 2026
rust-openssl has incorrect bounds assertion in aes key wrap High
CVE-2026-41678 was published for openssl (Rust) Apr 22, 2026
rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check High
CVE-2026-41681 was published for openssl (Rust) Apr 22, 2026
rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer High
GHSA-hppc-g8h3-xhp3 was published for openssl (Rust) Apr 22, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided Moderate
GHSA-w5hq-g745-h8pq was published for uuid (npm) Apr 22, 2026
0xStraw-Hat Credited to 0xStraw-Hat
SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) High
GHSA-hjh7-r5w8-5872 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 22, 2026
MCPHub has Path Traversal via Malicious MCPB Manifest Name High
GHSA-p3h2-2j4p-p83g was published for @samanhappy/mcphub (npm) Apr 22, 2026
keyblues Credited to keyblues
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
GHSA-j88v-2chj-qfwx was published for github.com/jackc/pgx (Go) Apr 22, 2026
Gitea has insecure default SSH settings Moderate
GHSA-3m6q-h5gj-7mrw was published for code.gitea.io/gitea (Go) Apr 22, 2026
gnzsnz Credited to gnzsnz
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) Moderate
GHSA-xjvc-pw2r-6878 was published for flarum/core (Composer) Apr 22, 2026
LiamSnow Credited to LiamSnow and imorland imorland imorland
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
GHSA-w937-fg2h-xhq2 was published for locize (npm) Apr 22, 2026
i18next-locize-backend has URL Injection via Unsanitized Path Parameters Moderate
GHSA-mgcp-mfp8-3q45 was published for i18next-locize-backend (npm) Apr 22, 2026
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
xmldom: Uncontrolled recursion in XML serialization leads to DoS High
CVE-2026-41673 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022, praveen-kv, and KarimTantawey praveen-kv praveen-kv
KarimTantawey KarimTantawey
xmldom has XML injection through unvalidated DocumentType serialization High
CVE-2026-41674 was published for @xmldom/xmldom (npm) Apr 22, 2026
TharVid Credited to TharVid
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database