GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,260
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
10,823 advisories
Filter by severity
In Apache Airflow before 3.3.0, the REST API task-instance detail and list
endpoints returned a...
Moderate
Unreviewed
CVE-2026-49487
was published
Jul 7, 2026
A bug in Apache Airflow's `/ui/dependencies` scheduling graph endpoint applied the caller's...
Moderate
Unreviewed
CVE-2026-48891
was published
Jul 7, 2026
The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment...
Moderate
Unreviewed
CVE-2026-48892
was published
Jul 7, 2026
The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key,...
Moderate
Unreviewed
CVE-2026-48828
was published
Jul 7, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses....
Unknown
Unreviewed
CVE-2026-14898
was published
Jul 6, 2026
Craft CMS: Sensitive File Disclosure / Server-Side File Read
Moderate
CVE-2026-55792
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission
Moderate
GHSA-x76w-8c62-48mg
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Exposure of sensitive information to an unauthorized actor in Microsoft Edge (Chromium-based)...
Moderate
Unreviewed
CVE-2026-56646
was published
Jul 3, 2026
A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the...
Moderate
Unreviewed
CVE-2026-14611
was published
Jul 3, 2026
LaunchServer FileServerHandler has an unauthenticated path traversal issue
Critical
CVE-2026-54617
was published
for
pro.gravit.launcher:launchserver-api
(Maven)
Jul 2, 2026
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
High
CVE-2026-50200
was published
for
Steeltoe.Management.Endpoint
(NuGet)
Jul 2, 2026
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Moderate
GHSA-gj2h-2fpw-fhv9
was published
for
@nuxt/ui
(npm)
Jul 2, 2026
Froxlor: Authenticated customers can read other customers' allowed sender aliases
Moderate
GHSA-mr9h-45p9-fg8h
was published
for
froxlor/froxlor
(Composer)
Jul 2, 2026
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Low
CVE-2026-49254
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 2, 2026
Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect
Moderate
CVE-2026-50192
was published
for
github.com/kerberos-io/agent/machinery
(Go)
Jul 2, 2026
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
High
GHSA-mhq8-78pj-5j79
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
High
CVE-2026-53814
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Message read actions could skip channel allowlist checks
High
CVE-2026-53815
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw MCP SSE redirects could forward Authorization headers
Moderate
GHSA-9c3v-684m-579c
was published
for
openclaw
(npm)
Jul 1, 2026
ORAS Go forwards registry credentials across registry redirects
Moderate
GHSA-vh4v-2xq2-g5cg
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions
Moderate
GHSA-vjjx-rfw4-rmfc
was published
for
surrealdb
(Rust)
Jul 1, 2026
repomix: attach_packed_output can bypass file-read secret scanning for supported local files
Moderate
CVE-2026-49988
was published
for
repomix
(npm)
Jul 1, 2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation...
Moderate
Unreviewed
CVE-2026-58033
was published
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API