GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
`exploration` was removed from crates.io for malicious code
Critical
GHSA-99j7-fhr2-xfj4
was published
for
exploration
(Rust)
Jul 10, 2026
Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
Moderate
CVE-2026-54136
was published
for
windmill-api
(Rust)
Jul 10, 2026
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
Critical
CVE-2026-54069
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
Moderate
CVE-2026-54068
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
High
CVE-2026-54063
was published
for
github.com/xuri/excelize/v2
(Go)
Jul 10, 2026
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
Critical
CVE-2026-54072
was published
for
github.com/authorizerdev/authorizer
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
Critical
CVE-2026-54067
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894
High
CVE-2026-54066
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Moderate
CVE-2026-49977
was published
for
tarteaucitronjs
(npm)
Jul 10, 2026
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
High
CVE-2026-49866
was published
for
@libp2p/gossipsub
(npm)
Jul 10, 2026
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs
Moderate
CVE-2026-49865
was published
for
kimai/kimai
(Composer)
Jul 10, 2026
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
Moderate
CVE-2026-49858
was published
for
api-platform/core
(Composer)
Jul 10, 2026
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values
Low
CVE-2026-48598
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla vulnerable to atom exhaustion via untrusted URL scheme
High
CVE-2026-48597
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering
High
CVE-2026-48595
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla has decompression bomb on response body
High
CVE-2026-48594
was published
for
tesla
(Erlang)
Jul 10, 2026
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`
Low
CVE-2026-48596
was published
for
tesla
(Erlang)
Jul 10, 2026
Mistune: Potential DoS via quadratic-time parsing in parse_link_text
High
CVE-2026-49851
was published
for
mistune
(pip)
Jul 9, 2026
GoBGP confederation validation panics on empty AS_PATH attribute
Moderate
CVE-2026-49838
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries
Moderate
CVE-2026-49837
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
ProTip!
Advisories are also available from the
GraphQL API