Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,880
Maven
5,000+
npm
4,518
NuGet
784
pip
4,260
Pub
12
RubyGems
975
Rust
1,105
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,668 advisories

Loading
Ghost vulnerable to XSS via malicious Portal preview links High
CVE-2026-24778 was published for @tryghost/portal (npm) Jan 28, 2026
Hono vulnerable to XSS through ErrorBoundary component Moderate
CVE-2026-24771 was published for hono (npm) Jan 28, 2026
kilkat
Credited to kilkat
Cap'n Proto has Undefined Behavior in constant::Reader and StructSchema Critical
GHSA-5w5r-mf82-595p was published for capnp (Rust) Jan 28, 2026
TaskWeaver has Protection Mechanism Failure and Server-Side Request Forgery (SSRF) Moderate
GHSA-gpx9-96j6-pp87 was published for agentos-taskweaver (pip) Jan 28, 2026
nnfrog
Credited to nnfrog
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components High
GHSA-h25m-26qc-wcjf was published for next (npm) Jan 28, 2026
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
billboard.js is vulnerable to XSS during chart option binding High
CVE-2026-1513 was published for billboard.js (npm) Jan 28, 2026
vlt Mishandles Path Sanitization for tar Moderate
CVE-2026-24909 was published for @vltpkg/tar (npm) Jan 28, 2026
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling High
CVE-2026-24765 was published for phpunit/phpunit (Composer) Jan 27, 2026
aqhmal theseer
Credited to aqhmal and theseer
Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access Moderate
CVE-2026-24748 was published for github.com/akuity/kargo (Go) Jan 27, 2026
StudioCMS has Authorization Bypass Through User-Controlled Key Moderate
CVE-2026-24134 was published for studiocms (npm) Jan 27, 2026
FilipeGaudard Adammatthiesen
Credited to FilipeGaudard and Adammatthiesen
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files High
CVE-2026-24747 was published for pytorch (pip) Jan 27, 2026
azraelxuemo
Credited to azraelxuemo
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor Critical
CVE-2026-23830 was published for @nyariv/sandboxjs (npm) Jan 27, 2026
nyxsorcerer
Credited to nyxsorcerer
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration Moderate
CVE-2025-59471 was published for next (npm) Jan 27, 2026
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat JungJoonWoo
Credited to kilkat and JungJoonWoo
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception Moderate
CVE-2026-24472 was published for hono (npm) Jan 27, 2026
simonkoeck
Credited to simonkoeck
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing Moderate
CVE-2026-24398 was published for hono (npm) Jan 27, 2026
devanshbatham
Credited to devanshbatham
OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication Moderate
CVE-2026-23892 was published for OctoPrint (pip) Jan 27, 2026
yueyueL
Credited to yueyueL
Kyverno Denial of Service via Context Variable Amplification in Policy Engine High
CVE-2026-23881 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev
Credited to thevilledev
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Critical
CVE-2026-22039 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev
Credited to thevilledev
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution Critical
CVE-2026-1470 was published for n8n (npm) Jan 27, 2026
askbot inexhaustive permissions check allows any user to modify a different user's profile picture Moderate
CVE-2026-1213 was published for askbot (pip) Jan 27, 2026
Quick-Media Batik Codec FIX Package has Buffer Overflow Vulnerability in PNG Codec Moderate
CVE-2026-24807 was published for com.github.liuyueyi.media:batik-codec-fix (Maven) Jan 27, 2026
Quick-Media Batik Codec FIX package has Code Injection vulnerability Moderate
CVE-2026-24806 was published for com.github.liuyueyi.media:batik-codec-fix (Maven) Jan 27, 2026
jsonrpc4j has Infinite Loop in RPC Stream Writer Moderate
CVE-2026-24802 was published for com.github.briandilley.jsonrpc4j:jsonrpc4j (Maven) Jan 27, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database