Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

11,519 advisories

Loading
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService Moderate
CVE-2025-14778 was published for org.keycloak:keycloak-services (Maven) Feb 9, 2026
eminaktas
Credited to eminaktas
beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) Moderate
CVE-2026-26226 was published for beautiful-mermaid (npm) Feb 13, 2026
Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site Moderate
GHSA-w5cr-2qhr-jqc5 was published for agents (npm) Feb 13, 2026
Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts Moderate
CVE-2026-22892 was published for github.com/mattermost/mattermost-server (Go) Feb 13, 2026
Apache Avro Java SDK is Vulnerable to Code Injection Moderate
CVE-2025-33042 was published for org.apache.avro:avro (Maven) Feb 13, 2026
rPGP's integrity protection of encrypted data was not always checked Moderate
GHSA-c7ph-f7jm-xv4w was published for pgp (Rust) Feb 13, 2026
Child processes spawned by Renovate incorrectly have full access to environment variables Moderate
GHSA-8wc6-vgrq-x6cf was published for renovate (npm) Feb 13, 2026
viceice
Credited to viceice
Keycloak services allows the issuance of access and refresh tokens for disabled users Moderate
CVE-2025-14559 was published for org.keycloak:keycloak-services (Maven) Jan 21, 2026
julianladisch eminaktas
Credited to julianladisch and eminaktas
Bug fixes in hpke-rs, hpke-rs-rust-crypto Moderate
GHSA-g433-pq76-6cmf was published for hpke-rs (Rust) Feb 13, 2026
Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler Moderate
CVE-2026-1721 was published for agents (npm) Feb 13, 2026
markdown-it is has a Regular Expression Denial of Service (ReDoS) Moderate
CVE-2026-2327 was published for markdown-it (npm) Feb 12, 2026
Django has an SQL Injection issue Moderate
CVE-2026-1312 was published for Django (pip) Feb 3, 2026
sunnypatell
Credited to sunnypatell
Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access Moderate
CVE-2026-22922 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 tei-dunamu
Credited to saivarun3407 and tei-dunamu
Directus Vulnerable to User Enumeration via Password Reset Timing Attack Moderate
CVE-2026-26185 was published for @directus/api (npm) Feb 12, 2026
DenizParlak
Credited to DenizParlak
sqlparse: formatting list of tuples leads to denial of service Moderate
GHSA-27jp-wm6q-gp25 was published for sqlparse (pip) Feb 13, 2026
jacobtylerwalls
Credited to jacobtylerwalls
Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key Moderate
CVE-2026-26014 was published for github.com/pion/dtls (Go) Feb 11, 2026
theodorsm JoTurk
Credited to theodorsm and JoTurk
@farmfe/core is Missing Origin Validation in WebSocket Moderate
CVE-2025-56647 was published for @farmfe/core (npm) Feb 12, 2026
Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq` Moderate
GHSA-435g-fcv3-8j26 was published for libcrux-ecdh (Rust) Feb 12, 2026
nadimkobeissi
Credited to nadimkobeissi
SurrealDB vulnerable to Denial of Service through scripting function memory edge case Moderate
GHSA-xx7m-69ff-9crp was published for surrealdb (Rust) Feb 12, 2026
LucyEgan
Credited to LucyEgan
XWiki vulnerable to click-jacking through CSS injection in comments Moderate
CVE-2026-26000 was published for org.xwiki.platform:xwiki-platform-web (Maven) Feb 12, 2026
keechy1231
Credited to keechy1231
webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map Moderate
CVE-2026-21438 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
webtransport-go: CloseWithError can block indefinitely Moderate
CVE-2026-21435 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
webtransport-go: Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule Moderate
CVE-2026-21434 was published for github.com/quic-go/webtransport-go (Go) Feb 12, 2026
golang.org/x/net/html has a Quadratic Parsing Complexity issue Moderate
CVE-2025-47911 was published for golang.org/x/net/html (Go) Feb 12, 2026
cap-go/capacitor-native-biometric Authentication Bypass Moderate
GHSA-vx5f-vmr6-32wf was published for @capgo/capacitor-native-biometric (npm) Feb 10, 2026
itz-d0dgy-2nd
Credited to itz-d0dgy-2nd
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database