Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,839
Maven
5,000+
npm
4,467
NuGet
776
pip
4,228
Pub
12
RubyGems
973
Rust
1,093
Swift
47
Unreviewed advisories
All unreviewed
5,000+

25,485 advisories

Loading
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment Critical
CVE-2026-23518 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
iansltx
Credited to iansltx
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability High
CVE-2026-22808 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
iansltx
Credited to iansltx
Turbo Frame responses can restore stale session cookies Low
CVE-2025-66803 was published for @hotwired/turbo (npm) Jan 20, 2026
domchristie packagethief
samoli
Credited to domchristie, packagethief, and samoli
ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion High
CVE-2026-23842 was published for chatterbot (pip) Jan 20, 2026
AdityaBhatt3010
Credited to AdityaBhatt3010
Mailpit has an SMTP Header Injection via Regex Bypass Moderate
CVE-2026-23829 was published for github.com/axllent/mailpit (Go) Jan 20, 2026
omarkurt
Credited to omarkurt
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) Moderate
CVE-2026-23733 was published for @lobehub/chat (npm) Jan 20, 2026
c2an1
Credited to c2an1
ImageMagick releases an invalid pointer in BilateralBlur when memory allocation fails Moderate
CVE-2026-22770 was published for Magick.NET-Q16-AnyCPU (NuGet) Jan 20, 2026
esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages High
CVE-2026-23644 was published for github.com/esm-dev/esm.sh (Go) Jan 20, 2026
kelbyludwig
Credited to kelbyludwig
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion Low
CVE-2026-23522 was published for @lobehub/chat (npm) Jan 20, 2026
DenizParlak
Credited to DenizParlak
Kimai has an Authenticated Server-Side Template Injection (SSTI) Moderate
CVE-2026-23626 was published for kimai/kimai (Composer) Jan 20, 2026
HUSEYNKHANLI
Credited to HUSEYNKHANLI
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp gusfcarvalho
Credited to evrardjp and gusfcarvalho
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding) High
CVE-2026-22037 was published for @fastify/express (npm) Jan 20, 2026
rootxharsh Eomm
mcollina
Credited to rootxharsh, Eomm, and mcollina
Fastify Middie Middleware Path Bypass High
CVE-2026-22031 was published for @fastify/middie (npm) Jan 20, 2026
rootxharsh kamilmysliwiec
Eomm mcollina
Credited to rootxharsh, kamilmysliwiec, Eomm, and mcollina
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered High
CVE-2026-21696 was published for github.com/pterodactyl/wings (Go) Jan 20, 2026
danny6167
Credited to danny6167
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks High
CVE-2025-69199 was published for github.com/pterodactyl/wings (Go) Jan 20, 2026
KianBrose
Credited to KianBrose
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted Moderate
CVE-2025-69198 was published for pterodactyl/panel (Composer) Jan 20, 2026
vsevolodmelnyk
Credited to vsevolodmelnyk
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect High
CVE-2025-68616 was published for weasyprint (pip) Jan 20, 2026
g4nkd
Credited to g4nkd
risesoft-y9 Digital-Infrastructure has a SQL injection vulnerability Moderate
CVE-2026-1050 was published for net.risesoft:risenet-y9boot-support-platform-service (Maven) Jan 17, 2026
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization High
CVE-2026-23745 was published for tar (npm) Jan 16, 2026
Jvr2022
Credited to Jvr2022
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1
Credited to c2an1
GraphQL Modules has a Race Condition issue High
CVE-2026-23735 was published for graphql-modules (npm) Jan 16, 2026
DuckThom enisdenjo
ardatan
Credited to DuckThom, enisdenjo, and ardatan
Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM Moderate
GHSA-38cw-85xc-xr9x was published for @veramo/data-store (npm) Jan 16, 2026
rekter0
Credited to rekter0
Skipper is vulnerable to arbitrary code execution through lua filters High
CVE-2026-23742 was published for github.com/zalando/skipper (Go) Jan 16, 2026
moyushui b0b0haha
Credited to moyushui and b0b0haha
svelte is vulnerable to XSS with textarea bind:value High
GHSA-gw32-9rmw-qwww was published for svelte (npm) Jan 16, 2026
coyotte508 Conduitry
benmccann
Credited to coyotte508, Conduitry, and benmccann
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database