Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,143
Maven
5,000+
npm
5,000+
NuGet
840
pip
4,439
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

27,025 advisories

Loading
xygeni-action v5 tag poisoned with C2 backdoor Critical
CVE-2026-31976 was published for xygeni/xygeni-action (GitHub Actions) Mar 11, 2026
Nick2bad4u Credited to Nick2bad4u
Tornado has incomplete validation of cookie attributes Moderate
GHSA-78cv-mqj4-43f7 was published for tornado (pip) Mar 11, 2026
DHIRAL2908 Credited to DHIRAL2908
.NET Denial of Service Vulnerability High
CVE-2026-26127 was published for Microsoft.Bcl.Memory (NuGet) Mar 11, 2026
.NET Denial of Service Vulnerability High
CVE-2026-26130 was published for Microsoft.AspNetCore.App.Runtime.linux-arm (NuGet) Mar 11, 2026
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash Moderate
CVE-2026-32094 was published for shescape (npm) Mar 11, 2026
anyzy2003 Credited to anyzy2003 and ericcornelissen ericcornelissen ericcornelissen
.NET Elevation of Privilege Vulnerability High
CVE-2026-26131 was published for Microsoft.NetCore.App.Runtime.linux-arm (NuGet) Mar 11, 2026
igorkovalchuk Credited to igorkovalchuk
Argo Workflows: WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode High
CVE-2026-31892 was published for github.com/argoproj/argo-workflows (Go) Mar 11, 2026
thevilledev Credited to thevilledev
Shopware vulnerable to a potential take over of app credentials High
CVE-2026-31889 was published for shopware/core (Composer) Mar 11, 2026
Shopware has user enumeration via distinct error codes on Store API login endpoint Moderate
CVE-2026-31888 was published for shopware/core (Composer) Mar 11, 2026
bugbunny-research Credited to bugbunny-research
Shopware: Unauthenticated data extraction possible through store-api.order endpoint High
CVE-2026-31887 was published for shopware/core (Composer) Mar 11, 2026
mromeike Credited to mromeike and janschoepke janschoepke janschoepke
Anytype Heart's gRPC API client challenge verification can be bypassed on localhost Low
CVE-2026-31863 was published for github.com/anyproto/anytype-cli (Go) Mar 11, 2026
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page Low
GHSA-g3hp-vvqf-8vw6 was published for craftcms/cms (Composer) Mar 11, 2026
mHe4am Credited to mHe4am
CraftCMS has an RCE vulnerability via relational conditionals in the control panel High
CVE-2026-31857 was published for craftcms/cms (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
Striae has a hash validation utility vulnerability High
CVE-2026-31839 was published for @striae-org/striae (npm) Mar 11, 2026
StephenJLu Credited to StephenJLu
Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks High
CVE-2026-31834 was published for Umbraco.Cms (NuGet) Mar 11, 2026
odgrso Credited to odgrso
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering Moderate
CVE-2026-31833 was published for Umbraco.Cms (NuGet) Mar 11, 2026
odgrso Credited to odgrso
Cosmos EVM: incorrect state handling during nested EVM execution paths Critical
GHSA-54gx-3cgr-7mfm was published for github.com/cosmos/evm (Go) Mar 11, 2026
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values Moderate
CVE-2026-29777 was published for github.com/traefik/traefik/v3 (Go) Mar 11, 2026
1seal Credited to 1seal
Unauthorized access to Argo Workflows Template High
CVE-2026-28229 was published for github.com/argoproj/argo-workflows/v3 (Go) Mar 11, 2026
Masamuneee Credited to Masamuneee
Quill has DoS via unbounded read of HTTP response body during notarization Moderate
CVE-2026-31960 was published for github.com/anchore/quill (Go) Mar 11, 2026
Quill has unbounded memory allocation via unvalidated size fields in Mach-O binary parsing Moderate
CVE-2026-31961 was published for github.com/anchore/quill (Go) Mar 11, 2026
Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval Moderate
CVE-2026-31959 was published for github.com/anchore/quill (Go) Mar 11, 2026
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection High
CVE-2026-31975 was published for @siteboon/claude-code-ui (npm) Mar 11, 2026
Ethan-Yang-opcia Credited to Ethan-Yang-opcia, DhiyaneshGeek, and neo-ai-engineer DhiyaneshGeek DhiyaneshGeek
neo-ai-engineer neo-ai-engineer
Parse Server vulnerable to user enumeration via email verification endpoint Moderate
CVE-2026-31901 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server's MFA recovery codes not consumed after use High
CVE-2026-31875 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database