Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,812
Maven
5,000+
npm
4,426
NuGet
773
pip
4,203
Pub
12
RubyGems
968
Rust
1,086
Swift
47
Unreviewed advisories
All unreviewed
5,000+

25,344 advisories

Loading
Weblate wlc has insecure API key configuration Moderate
CVE-2026-22251 was published for wlc (pip) Jan 12, 2026
nijel Zee99y
Credited to nijel and Zee99y
Weblate command-line client susceptible to SSL verification skip Low
CVE-2026-22250 was published for wlc (pip) Jan 12, 2026
nijel Zee99y
Credited to nijel and Zee99y
Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field High
CVE-2026-22033 was published for label-studio (pip) Jan 12, 2026
david3107
Credited to david3107
MindsDB has improper sanitation of filepath that leads to information disclosure and DOS High
CVE-2025-68472 was published for MindsDB (pip) Jan 12, 2026
locus-x64
Credited to locus-x64
SM2-PKE has Unchecked AffinePoint Decoding (unwrap) in decrypt() High
CVE-2026-22699 was published for sm2 (Rust) Jan 9, 2026
XlabAITeam
Credited to XlabAITeam
Fickling vulnerable to detection bypass due to "builtins" blindness High
CVE-2026-22612 was published for fickling (pip) Jan 9, 2026
0x-Apollyon
Credited to 0x-Apollyon
SM2-PKE has 32-bit Biased Nonce Vulnerability High
CVE-2026-22698 was published for sm2 (Rust) Jan 9, 2026
XlabAITeam
Credited to XlabAITeam
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist High
CVE-2026-22609 was published for fickling (pip) Jan 9, 2026
mldangelo
Credited to mldangelo
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection High
CVE-2026-22608 was published for fickling (pip) Jan 9, 2026
0x-Apollyon
Credited to 0x-Apollyon
Fickling Blocklist Bypass: cProfile.run() High
CVE-2026-22607 was published for fickling (pip) Jan 9, 2026
beneaththecode
Credited to beneaththecode
Fickling has a bypass via runpy.run_path() and runpy.run_module() High
CVE-2026-22606 was published for fickling (pip) Jan 9, 2026
beneaththecode
Credited to beneaththecode
October CMS Vulnerable to Stored XSS via Branding Styles Moderate
CVE-2025-61676 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek daftspunk
Credited to nakkouchtarek and daftspunk
mnl has segmentation fault and invalid memory read in `mnl::cb_run` Low
GHSA-585q-cm62-757j was published for mnl (Rust) Jan 9, 2026
pypdf has possible long runtimes for malformed startxref Low
CVE-2026-22691 was published for pypdf (pip) Jan 9, 2026
mkaalto stefan6419846
Credited to mkaalto and stefan6419846
pypdf has possible long runtimes for missing /Root object with large /Size values Low
CVE-2026-22690 was published for pypdf (pip) Jan 9, 2026
N0zoM1z0 stefan6419846
Credited to N0zoM1z0 and stefan6419846
jose-swift has JWT Signature Verification Bypass via None Algorithm High
GHSA-88q6-jcjg-hvmw was published for github.com/beatt83/jose-swift (Swift) Jan 9, 2026
snyff
Credited to snyff
WeKnora has Command Injection in MCP stdio test Critical
CVE-2026-22688 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
im-soohyun
Credited to im-soohyun
WeKnora vulnerable to SQL Injection High
CVE-2026-22687 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
passer-W
Credited to passer-W
AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value Low
CVE-2026-22611 was published for AWSSDK.Core (NuGet) Jan 9, 2026
Angular has XSS Vulnerability via Unsanitized SVG Script Attributes High
CVE-2026-22610 was published for @angular/compiler (npm) Jan 9, 2026
alan-agius4 josephperrott
AndrewKushnir hybrist ShelbyKelley gkalpak
Credited to alan-agius4, josephperrott, AndrewKushnir, hybrist, ShelbyKelley, and gkalpak
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService Critical
CVE-2025-65091 was published for org.xwiki.contrib:macro-fullcalendar-pom (Maven) Jan 9, 2026
XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService Moderate
CVE-2025-65090 was published for org.xwiki.contrib:macro-fullcalendar-pom (Maven) Jan 9, 2026
October CMS Vulnerable to Stored XSS via Editor and Branding Styles Moderate
CVE-2025-61674 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek daftspunk
Credited to nakkouchtarek and daftspunk
FASTJSON Includes Functionality from Untrusted Control Sphere Critical
CVE-2025-70974 was published for com.alibaba:fastjson (Maven) Jan 9, 2026
Authlib has 1-click Account Takeover vulnerability Moderate
CVE-2025-68158 was published for authlib (pip) Jan 8, 2026
davidbors-snyk
Credited to davidbors-snyk
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database