Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,567 advisories

Loading
Container and Containerization archive extraction does not guard against escapes from extraction base directory. Low
CVE-2026-20613 was published for github.com/apple/container (Swift) Jan 22, 2026
LLfam
Credited to LLfam
Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue Low
GHSA-jp3q-wwp3-pwv9 was published for solspace/craft-freeform (Composer) Jan 22, 2026
Prav33N-Sec
Credited to Prav33N-Sec
Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide Moderate
CVE-2025-22234 was published for org.springframework.security:spring-security-core (Maven) Jan 22, 2026
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal Moderate
CVE-2026-24137 was published for github.com/sigstore/sigstore (Go) Jan 22, 2026
1seal
Credited to 1seal
Incus container image templating arbitrary host file read and write High
CVE-2026-23954 was published for github.com/lxc/incus/v6/cmd/incusd (Go) Jan 22, 2026
rmcnamara-snyk
Credited to rmcnamara-snyk
Incus container environment configuration newline injection High
CVE-2026-23953 was published for github.com/lxc/incus/v6 (Go) Jan 22, 2026
rmcnamara-snyk
Credited to rmcnamara-snyk
Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL Moderate
CVE-2026-24117 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal
Credited to 1seal
Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message Moderate
CVE-2026-23831 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal
Credited to 1seal
Sentencepiece has a a heap overflow issue High
CVE-2026-1260 was published for sentencepiece (pip) Jan 22, 2026
orjson does not limit recursion for deeply nested JSON documents Moderate
CVE-2025-67221 was published for orjson (pip) Jan 22, 2026
Orval Mock Generation Code Injection via const High
CVE-2026-24132 was published for @orval/mock (npm) Jan 22, 2026
k14uz
Credited to k14uz
Moonraker affected by LDAP search filter injection Low
CVE-2026-24130 was published for moonraker (pip) Jan 22, 2026
solovvway
Credited to solovvway
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions High
GHSA-3v2x-9xcv-2v2v was published for surrealdb (Rust) Jan 22, 2026
cure53
Credited to cure53
Umbraco.Forms CDN may cache sensitive form uploads when processed by ImageSharp Low
GHSA-7jxj-rpx7-ph2c was published for Umbraco.Forms (NuGet) Jan 22, 2026
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha
Credited to b0b0haha
Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack High
CVE-2026-24049 was published for wheel (pip) Jan 22, 2026
kilkat henryiii
agronholm
Credited to kilkat, henryiii, and agronholm
docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage High
CVE-2026-24009 was published for docling-core (pip) Jan 22, 2026
avioligo vagenas
PeterStaar-IBM dolfim-ibm tiran
Credited to avioligo, vagenas, PeterStaar-IBM, dolfim-ibm, and tiran
Seroval affected by Denial of Service via Deeply Nested Objects High
CVE-2026-24006 was published for seroval (npm) Jan 22, 2026
lxsmnsyc tweidinger
Credited to lxsmnsyc and tweidinger
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass High
CVE-2025-65098 was published for @typebot.io/js (npm) Jan 22, 2026
Deyvi-dev
Credited to Deyvi-dev
Logback allows an attacker to instantiate classes already present on the class path Low
CVE-2026-1225 was published for ch.qos.logback:logback-core (Maven) Jan 22, 2026
Soft Serve Affected by an Authentication Bypass High
CVE-2026-24058 was published for github.com/charmbracelet/soft-serve (Go) Jan 21, 2026
juancabe aymanbagabas
Credited to juancabe and aymanbagabas
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu ljharb
UlisesGascon falsyvalues jdalton
Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton
Wrangler affected by OS Command Injection in `wrangler pages deploy` High
CVE-2026-0933 was published for wrangler (npm) Jan 21, 2026
yueyueL
Credited to yueyueL
OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format Low
GHSA-r92c-9c7f-3pj8 was published for github.com/opentofu/opentofu (Go) Jan 21, 2026
Triton VM has a Soundness Vulnerability due to Improper Sampling of Randomness Low
GHSA-rjr4-v43m-pxq6 was published for triton-vm (Rust) Jan 21, 2026
knqyf263
Credited to knqyf263
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database