Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,215 advisories

Loading
Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Critical
GHSA-8m29-fpq5-89jj was published for zebra-script (Rust) Apr 18, 2026
conradoplg Credited to conradoplg, mpguerra, and sangsoo-osec mpguerra mpguerra
sangsoo-osec sangsoo-osec
Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients Moderate
GHSA-29x4-r6jv-ff4w was published for zebra-rpc (Rust) Apr 18, 2026
upbqdn Credited to upbqdn, mpguerra, and conradoplg mpguerra mpguerra
conradoplg conradoplg
Zebra has rk Identity Point Panic in Transaction Verification Critical
GHSA-452v-w3gx-72wg was published for zebra-chain (Rust) Apr 18, 2026
mpguerra Credited to mpguerra
MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade Moderate
GHSA-9j88-vvj5-vhgr was published for MailKit (NuGet) Apr 18, 2026
ROCmertakdag Credited to ROCmertakdag
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
GHSA-cjcx-jfp2-f7m2 was published for pretalx (pip) Apr 18, 2026
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
GHSA-jm8c-9f3j-4378 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
GHSA-xjvp-7243-rg9h was published for charm.land/wish/v2 (Go) Apr 18, 2026
aymanbagabas Credited to aymanbagabas
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations High
GHSA-mjw2-v2hm-wj34 was published for dagster (pip) Apr 18, 2026
alexwaira Credited to alexwaira, vyprsec-research, and romain-deperne vyprsec-research vyprsec-research
romain-deperne romain-deperne
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields Moderate
CVE-2026-6437 was published for github.com/kubernetes-sigs/aws-efs-csi-driver (Go) Apr 18, 2026
OpenTelemetry .NET has potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path Moderate
CVE-2026-41078 was published for OpenTelemetry.Exporter.Jaeger (NuGet) Apr 18, 2026
Kielek Credited to Kielek and arminru arminru arminru
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
GHSA-f58v-p6j9-24c2 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass Critical
GHSA-6g38-8j4p-j3pr was published for github.com/nhost/nhost (Go) Apr 18, 2026
skoveit Credited to skoveit
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
GHSA-qrr6-mg7r-m243 was published for phpunit/phpunit (Composer) Apr 18, 2026
Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment Low
GHSA-h39g-6x3c-7fq9 was published for Zio (NuGet) Apr 18, 2026
SUT0L Credited to SUT0L
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
GHSA-v38x-c887-992f was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
Zebra: addr/addrv2 Deserialization Resource Exhaustion Moderate
CVE-2026-40881 was published for zebra-network (Rust) Apr 18, 2026
Zk-nd3r Credited to Zk-nd3r and mpguerra mpguerra mpguerra
Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks High
CVE-2026-40880 was published for zebra-consensus (Rust) Apr 18, 2026
sangsoo-osec Credited to sangsoo-osec, conradoplg, and mpguerra conradoplg conradoplg
mpguerra mpguerra
elFinder: Command injection in resize background color parameter when using ImageMagick CLI High
GHSA-8q4h-8crm-5cvc was published for studio-42/elfinder (Composer) Apr 17, 2026
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths Moderate
GHSA-f934-5rqf-xx47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files High
GHSA-mr34-9552-qr95 was published for openclaw (npm) Apr 17, 2026
Kherrisan Credited to Kherrisan
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-xh72-v6v9-mwhc was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries High
GHSA-2gvc-4f3c-2855 was published for openclaw (npm) Apr 17, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation High
GHSA-xmxx-7p24-h892 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Remote Code Execution (RCE) via String Literal Injection into math-codegen Critical
GHSA-p6x5-p4xf-cc4r was published for math-codegen (npm) Apr 17, 2026
hits3134 Credited to hits3134
go-git: Credential leak via cross-host redirect in smart HTTP transport Moderate
GHSA-3xc5-wrhm-f963 was published for github.com/go-git/go-git/v5 (Go) Apr 17, 2026
N0zoM1z0 Credited to N0zoM1z0, AyushParkara, and celinke97 AyushParkara AyushParkara
celinke97 celinke97
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database