GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,263
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,484
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,245 advisories
Filter by severity
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
Moderate
CVE-2026-29049
was published
for
chainguard.dev/melange
(Go)
Mar 2, 2026
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Moderate
CVE-2026-48043
was published
for
io.netty:netty-codec-http2
(Maven)
Jun 11, 2026
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
High
CVE-2026-46374
was published
for
sqlfluff
(pip)
May 19, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)
Moderate
CVE-2026-35365
was published
for
uu_mv
(Rust)
Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics
Moderate
CVE-2026-35358
was published
for
uu_cp
(Rust)
Jul 6, 2026
CosmWasm wasmd has large address count in ValidateBasic
Moderate
GHSA-m3rh-cvr5-x6q4
was published
for
github.com/CosmWasm/wasmd
(Go)
Aug 8, 2024
Apache Tomcat Uncontrolled Resource Consumption vulnerability
Moderate
CVE-2024-54677
was published
for
org.apache.tomcat:tomcat
(Maven)
Dec 17, 2024
Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation
Moderate
GHSA-xw6w-9jjh-p9cr
was published
for
Scriban
(NuGet)
Mar 24, 2026
Scriban: Built-in operations bypass LoopLimit and delay cancellation, enabling Denial of Service
High
GHSA-c875-h985-hvrc
was published
for
Scriban.Signed
(NuGet)
Mar 24, 2026
Spring Framework DoS with Multipart Temp Files in WebFlux
Moderate
CVE-2026-22740
was published
for
org.springframework:spring-webflux
(Maven)
Apr 29, 2026
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
High
CVE-2026-50196
was published
for
Steeltoe.Discovery.Eureka
(NuGet)
Jul 2, 2026
SimpleSAMLphp has Possible DoS via XPath Transform
High
CVE-2026-49289
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
Go Net HTML parser is vulnerable to denial of service
Moderate
CVE-2026-25680
was published
for
golang.org/x/net
(Go)
May 26, 2026
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
High
CVE-2026-35633
was published
for
openclaw
(npm)
Mar 26, 2026
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header
Low
CVE-2026-44242
was published
for
io.micronaut:micronaut-inject
(Maven)
May 6, 2026
oban_web: Unbounded range expansion in cron describe causes memory exhaustion
Moderate
CVE-2026-48593
was published
for
oban_web
(Erlang)
Jun 30, 2026
Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM
High
CVE-2026-47077
was published
for
hackney
(Erlang)
Jun 26, 2026
Duplicate Advisory: Hackney has an Allocation of Resources Without Limits or Throttling vulnerabilit
High
GHSA-76v6-f83q-pxvh
was published
for
hackney
(Erlang)
May 26, 2026
•
withdrawn
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API
Moderate
CVE-2023-46118
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
smtp-server's command parser memory exhaustion denial-of-service
High
CVE-2026-38728
was published
for
smtp-server
(npm)
May 15, 2026
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
High
CVE-2026-5308
was published
for
github.com/mattermost/mattermost-plugin-github
(Go)
May 26, 2026
Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memory
Moderate
CVE-2026-5755
was published
for
github.com/mattermost/mattermost-server
(Go)
May 26, 2026
scim_proto and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion
High
CVE-2026-46689
was published
for
kanidm_proto
(Rust)
May 6, 2026
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Jun 26, 2026
Hackney has unbounded buffer accumulation in WebSocket
High
CVE-2026-47073
was published
for
hackney
(Erlang)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API