Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,063 advisories

Loading
Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces Moderate
GHSA-7cwm-fpfh-rrch was published for github.com/metal3-io/ironic-standalone-operator (Go) May 29, 2026
NodeVM observability builtins leak host process and HTTP request data Moderate
CVE-2026-47141 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS Moderate
CVE-2026-46430 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This... High Unreviewed
CVE-2026-8958 was published May 19, 2026
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table... Moderate Unreviewed
CVE-2026-46723 was published May 19, 2026
vm2 Has a Sandbox Breakout Using Async Generator Critical
CVE-2026-45411 was published for vm2 (npm) May 14, 2026
XmiliaH Credited to XmiliaH
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program... Low Unreviewed
CVE-2026-34094 was published May 11, 2026
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program... Low Unreviewed
CVE-2026-34095 was published May 11, 2026
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution High
CVE-2026-44338 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning High
CVE-2026-44552 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
vm2 has Sandbox Breakout Through Null Proto Exception Critical
CVE-2026-44009 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch` Critical
CVE-2026-44008 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary Moderate
CVE-2026-44000 was published for vm2 (npm) May 7, 2026
fasrm Credited to fasrm
External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore Moderate
CVE-2026-42875 was published for github.com/external-secrets/external-secrets (Go) May 5, 2026
moolen Credited to moolen
Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables High
GHSA-5mh4-3rv3-fpcf was published for openclaw (npm) Apr 28, 2026 withdrawn
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in... Low Unreviewed
CVE-2026-41362 was published Apr 28, 2026
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq... High Unreviewed
CVE-2026-41368 was published Apr 28, 2026
Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false Moderate
CVE-2026-30912 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries Low
CVE-2026-32690 was published for apache-airflow-core (pip) Apr 18, 2026
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could... High Unreviewed
CVE-2025-54502 was published Apr 16, 2026
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution... High Unreviewed
CVE-2026-39911 was published Apr 9, 2026
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration Moderate
CVE-2026-42424 was published for openclaw (npm) Apr 9, 2026
threalwinky Credited to threalwinky
Apache Airflow has an authorization bypass in DagRun wait endpoint Moderate
CVE-2026-34538 was published for apache-airflow (pip) Apr 9, 2026
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database