close
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,900
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,963 advisories

Loading
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron Critical
CVE-2026-46716 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Arcane: Missing admin authorization on global variables endpoint High
CVE-2026-47125 was published for github.com/getarcaneapp/arcane/backend (Go) May 23, 2026
offset Credited to offset
instagrapi: Unsafe signup challenge path handling in instagrapi Moderate
GHSA-ggxf-37hm-9wqf was published for instagrapi (pip) May 23, 2026
trophyxxx Credited to trophyxxx
aiograpi: Unsafe signup challenge path handling Moderate
CVE-2026-47157 was published for aiograpi (pip) May 23, 2026
trophyxxx Credited to trophyxxx
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance Moderate
CVE-2026-46715 was published for Flask-Security-Too (pip) May 22, 2026
0xHunSec Credited to 0xHunSec
aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler High
GHSA-7m8f-hgjq-8gc9 was published for aiosend (pip) May 22, 2026
7p9eiiwqo8kos Credited to 7p9eiiwqo8kos
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set Moderate
CVE-2026-8723 was published for qs (npm) May 22, 2026
joannalange Credited to joannalange and ljharb ljharb ljharb
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
GHSA-qqqm-5547-774x was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
ImageMagick: Heap Buffer Over-Read in distributed pixel cache server Moderate
CVE-2026-47166 was published for Magick.NET-Q16-AnyCPU (NuGet) May 22, 2026
007bsd Credited to 007bsd
ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model Moderate
CVE-2026-47165 was published for Magick.NET-Q16-AnyCPU (NuGet) May 22, 2026
007bsd Credited to 007bsd
ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking Moderate
CVE-2026-46693 was published for Magick.NET-Q16-AnyCPU (NuGet) May 22, 2026
ImageMagick: Heap Buffer Over-Write in distributed pixel cache server Moderate
CVE-2026-46692 was published for Magick.NET-Q16-AnyCPU (NuGet) May 22, 2026
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret High
CVE-2026-46701 was published for network-ai (npm) May 21, 2026
232-323 Credited to 232-323 and min8282 min8282 min8282
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
ImageMagick: Information Disclosure in PasskeyEncipherImage via AES-CTR nonce reuse Low
GHSA-qv2q-c278-pch5 was published for Magick.NET-Q16-AnyCPU (NuGet) May 21, 2026
007bsd Credited to 007bsd and LuiginoC LuiginoC LuiginoC
ImageMagick: Division by Zero in binomial kernel Low
GHSA-vf33-6r7x-66xx was published for Magick.NET-Q16-AnyCPU (NuGet) May 21, 2026
007bsd Credited to 007bsd
ImageMagick: Heap Buffer Over-Write in json and yaml encoder of a single byte due to incorrect fix Moderate
GHSA-jqq5-8px3-9m6m was published for Magick.NET-Q16-AnyCPU (NuGet) May 21, 2026
007bsd Credited to 007bsd
@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty High
CVE-2026-46681 was published for @nevware21/ts-utils (npm) May 21, 2026
containerd user ID handling bypass allows runAsNonRoot evasion High
CVE-2026-46680 was published for github.com/containerd/containerd (Go) May 21, 2026
ssst0n3 Credited to ssst0n3
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database