Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,812
Maven
5,000+
npm
4,426
NuGet
773
pip
4,203
Pub
12
RubyGems
968
Rust
1,086
Swift
47
Unreviewed advisories
All unreviewed
5,000+

8,818 advisories

Loading
Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field High
CVE-2026-22033 was published for label-studio (pip) Jan 12, 2026
david3107
Credited to david3107
MindsDB has improper sanitation of filepath that leads to information disclosure and DOS High
CVE-2025-68472 was published for MindsDB (pip) Jan 12, 2026
locus-x64
Credited to locus-x64
SM2-PKE has Unchecked AffinePoint Decoding (unwrap) in decrypt() High
CVE-2026-22699 was published for sm2 (Rust) Jan 9, 2026
XlabAITeam
Credited to XlabAITeam
Fickling vulnerable to detection bypass due to "builtins" blindness High
CVE-2026-22612 was published for fickling (pip) Jan 9, 2026
0x-Apollyon
Credited to 0x-Apollyon
SM2-PKE has 32-bit Biased Nonce Vulnerability High
CVE-2026-22698 was published for sm2 (Rust) Jan 9, 2026
XlabAITeam
Credited to XlabAITeam
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist High
CVE-2026-22609 was published for fickling (pip) Jan 9, 2026
mldangelo
Credited to mldangelo
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection High
CVE-2026-22608 was published for fickling (pip) Jan 9, 2026
0x-Apollyon
Credited to 0x-Apollyon
Fickling Blocklist Bypass: cProfile.run() High
CVE-2026-22607 was published for fickling (pip) Jan 9, 2026
beneaththecode
Credited to beneaththecode
Fickling has a bypass via runpy.run_path() and runpy.run_module() High
CVE-2026-22606 was published for fickling (pip) Jan 9, 2026
beneaththecode
Credited to beneaththecode
jose-swift has JWT Signature Verification Bypass via None Algorithm High
GHSA-88q6-jcjg-hvmw was published for github.com/beatt83/jose-swift (Swift) Jan 9, 2026
snyff
Credited to snyff
WeKnora vulnerable to SQL Injection High
CVE-2026-22687 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
passer-W
Credited to passer-W
Angular has XSS Vulnerability via Unsanitized SVG Script Attributes High
CVE-2026-22610 was published for @angular/compiler (npm) Jan 9, 2026
alan-agius4 josephperrott
AndrewKushnir hybrist ShelbyKelley gkalpak
Credited to alan-agius4, josephperrott, AndrewKushnir, hybrist, ShelbyKelley, and gkalpak
vLLM introduced enhanced protection for CVE-2025-62164 High
GHSA-mcmc-2m55-j8jj was published for vllm (pip) Jan 8, 2026
Ghost has Staff Token permission bypass High
CVE-2026-22595 was published for ghost (npm) Jan 8, 2026
odgrso
Credited to odgrso
Ghost has Staff 2FA bypass High
CVE-2026-22594 was published for ghost (npm) Jan 8, 2026
odgrso
Credited to odgrso
Spree API has Unauthenticated IDOR - Guest Address High
CVE-2026-22589 was published for spree_core (RubyGems) Jan 8, 2026
Salvo is vulnerable to reflected XSS in the list_html function High
CVE-2026-22256 was published for salvo (Rust) Jan 8, 2026
AhmedMokhtari mwlik
imenyoo2
Credited to AhmedMokhtari, mwlik, and imenyoo2
Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names High
CVE-2026-22257 was published for salvo (Rust) Jan 8, 2026
AhmedMokhtari imenyoo2
mwlik
Credited to AhmedMokhtari, imenyoo2, and mwlik
Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles High
GHSA-96qw-h329-v5rg was published for shakapacker (RubyGems) Jan 8, 2026
React Router vulnerable to XSS via Open Redirects High
CVE-2026-22029 was published for @remix-run/router (npm) Jan 8, 2026
Oceandust
Credited to Oceandust
React Router SSR XSS in ScrollRestoration High
CVE-2026-21884 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 arthurgervais
Credited to zaddy6 and arthurgervais
React Router has XSS Vulnerability High
CVE-2025-59057 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 arthurgervais
Credited to zaddy6 and arthurgervais
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS High
CVE-2026-21873 was published for nicegui (pip) Jan 8, 2026
evnchn falkoschindler
Credited to evnchn and falkoschindler
picklescan has Arbitrary file read using `io.FileIO` High
GHSA-9726-w42j-3qjr was published for picklescan (pip) Jan 8, 2026
shivasurya
Credited to shivasurya
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE High
CVE-2026-22244 was published for org.open-metadata:platform (Maven) Jan 7, 2026
lnlinh31 manerow
TeddyCr pmbrull
Credited to lnlinh31, manerow, TeddyCr, and pmbrull
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database