Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,245 advisories

Loading
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI Moderate
CVE-2026-29049 was published for chainguard.dev/melange (Go) Mar 2, 2026
1seal Credited to 1seal, antitree, and 89luca89 antitree antitree
89luca89 89luca89
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion Moderate
CVE-2026-48043 was published for io.netty:netty-codec-http2 (Maven) Jun 11, 2026
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser High
CVE-2026-46374 was published for sqlfluff (pip) May 19, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics Moderate
CVE-2026-35358 was published for uu_cp (Rust) Jul 6, 2026
CosmWasm wasmd has large address count in ValidateBasic Moderate
GHSA-m3rh-cvr5-x6q4 was published for github.com/CosmWasm/wasmd (Go) Aug 8, 2024
sushiwushi Credited to sushiwushi and cookesan cookesan cookesan
Apache Tomcat Uncontrolled Resource Consumption vulnerability Moderate
CVE-2024-54677 was published for org.apache.tomcat:tomcat (Maven) Dec 17, 2024
yusuke-koyoshi Credited to yusuke-koyoshi
Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation Moderate
GHSA-xw6w-9jjh-p9cr was published for Scriban (NuGet) Mar 24, 2026
offset Credited to offset and adamus2 adamus2 adamus2
Scriban: Built-in operations bypass LoopLimit and delay cancellation, enabling Denial of Service High
GHSA-c875-h985-hvrc was published for Scriban.Signed (NuGet) Mar 24, 2026
Zwique Credited to Zwique and adamus2 adamus2 adamus2
Spring Framework DoS with Multipart Temp Files in WebFlux Moderate
CVE-2026-22740 was published for org.springframework:spring-webflux (Maven) Apr 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch High
CVE-2026-50196 was published for Steeltoe.Discovery.Eureka (NuGet) Jul 2, 2026
SimpleSAMLphp has Possible DoS via XPath Transform High
CVE-2026-49289 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
ahacker1-securesaml Credited to ahacker1-securesaml
Go Net HTML parser is vulnerable to denial of service Moderate
CVE-2026-25680 was published for golang.org/x/net (Go) May 26, 2026
joepurdy Credited to joepurdy
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
CVE-2026-35633 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
offset Credited to offset, jojojo8359, and smallex jojojo8359 jojojo8359
smallex smallex
oban_web: Unbounded range expansion in cron describe causes memory exhaustion Moderate
CVE-2026-48593 was published for oban_web (Erlang) Jun 30, 2026
PJUllrich Credited to PJUllrich, sorenone, and maennchen sorenone sorenone
maennchen maennchen
Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM High
CVE-2026-47077 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Duplicate Advisory: Hackney has an Allocation of Resources Without Limits or Throttling vulnerabilit High
GHSA-76v6-f83q-pxvh was published for hackney (Erlang) May 26, 2026 withdrawn
cookesan Credited to cookesan
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API Moderate
CVE-2023-46118 was published for rabbit_common (Erlang) Jun 30, 2026
NSEcho Credited to NSEcho
smtp-server's command parser memory exhaustion denial-of-service High
CVE-2026-38728 was published for smtp-server (npm) May 15, 2026
blue2cat Credited to blue2cat
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints High
CVE-2026-5308 was published for github.com/mattermost/mattermost-plugin-github (Go) May 26, 2026
Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memory Moderate
CVE-2026-5755 was published for github.com/mattermost/mattermost-server (Go) May 26, 2026
scim_proto and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion High
CVE-2026-46689 was published for kanidm_proto (Rust) May 6, 2026
mbarbero Credited to mbarbero and yaleman yaleman yaleman
tonghuaroot Credited to tonghuaroot
Hackney has unbounded buffer accumulation in WebSocket High
CVE-2026-47073 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
ProTip! Advisories are also available from the GraphQL API