Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

71 advisories

Loading
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 High
CVE-2026-42043 was published for axios (npm) May 5, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) High
CVE-2026-42313 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API Moderate
GHSA-8pf2-vj79-4wxg was published for openclaw (npm) Apr 28, 2026 withdrawn
Kratos has a Confused Deputy issue Moderate
CVE-2026-6993 was published for github.com/go-kratos/kratos/v2 (Go) Apr 25, 2026
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET... High Unreviewed
CVE-2026-39906 was published Apr 15, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token High
CVE-2026-40868 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
1seal Credited to 1seal
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource Moderate
CVE-2026-39961 was published for github.com/aiven/aiven-operator (Go) Apr 10, 2026
AndresAIFR Credited to AndresAIFR
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF Moderate
CVE-2025-62718 was published for axios (npm) Apr 9, 2026
AmeerAssadi Credited to AmeerAssadi, SwTan98, and jasonsaayman SwTan98 SwTan98
jasonsaayman jasonsaayman
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities High
CVE-2026-27124 was published for fastmcp (pip) Mar 31, 2026
an7y Credited to an7y
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` Moderate
CVE-2026-33768 was published for @astrojs/vercel (npm) Mar 26, 2026
jp-soba Credited to jp-soba
In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr.c, there is a possible escalation of privileges due... High Unreviewed
CVE-2026-0107 was published Mar 10, 2026
OliveTin's RestartAction always runs actions as guest Moderate
CVE-2026-30225 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway Critical
CVE-2026-28466 was published for openclaw (npm) Mar 2, 2026
222n5 Credited to 222n5
In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user... High Unreviewed
CVE-2026-0021 was published Mar 2, 2026
In multiple locations, there is a possible privilege escalation due to a confused deputy. This... High Unreviewed
CVE-2026-0008 was published Mar 2, 2026
In executeRequest of ActivityStarter.java, there is a possible launch anywhere due to a confused... High Unreviewed
CVE-2025-48646 was published Mar 2, 2026
In setupLayout of PickActivity.java, there is a possible way to start any activity as a... High Unreviewed
CVE-2026-0013 was published Mar 2, 2026
In multiple functions of MediaProvider.java, there is a possible external storage write... High Unreviewed
CVE-2025-48579 was published Mar 2, 2026
An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a... High Unreviewed
CVE-2023-31313 was published Feb 12, 2026
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName High
CVE-2026-24470 was published for github.com/zalando/skipper (Go) Jan 26, 2026
b0b0haha Credited to b0b0haha, moyushui, and j311yl0v3u moyushui moyushui
j311yl0v3u j311yl0v3u
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions High
GHSA-3v2x-9xcv-2v2v was published for surrealdb (Rust) Jan 22, 2026
cure53 Credited to cure53 and geraname geraname geraname
A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This... Critical Unreviewed
CVE-2025-64125 was published Jan 3, 2026
A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This... Critical Unreviewed
CVE-2025-64123 was published Jan 3, 2026
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries Moderate
CVE-2025-68944 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access High
CVE-2025-11393 was published for github.com/RedHatInsights/runtimes-inventory-operator (Go) Dec 15, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database