Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,437
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,695
Pub
13
RubyGems
1,031
Rust
1,222
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,317 advisories

Loading
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the... Moderate Unreviewed
CVE-2026-5986 was published Apr 10, 2026
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
GHSA-25wv-8phj-8p7r was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service High
CVE-2026-39959 was published for Tmds.DBus (NuGet) Apr 8, 2026
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive... Moderate Unreviewed
CVE-2026-33459 was published Apr 8, 2026
Axios HTTP/2 Session Cleanup State Corruption Vulnerability Moderate
CVE-2026-39865 was published for axios (npm) Apr 8, 2026
vmulas Credited to vmulas
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution Moderate
GHSA-h9mw-h4qc-f5jf was published for github.com/platform-mesh/kubernetes-graphql-gateway (Go) Apr 8, 2026
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter Low
CVE-2026-34166 was published for liquidjs (npm) Apr 8, 2026
offset Credited to offset
FastFeedParser has an infinite redirect loop DoS via meta-refresh chain High
CVE-2026-39376 was published for fastfeedparser (pip) Apr 8, 2026
redyank Credited to redyank
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
netavark has incorrect error handling for malformed tcp packets Moderate
CVE-2026-35406 was published for netavark (Rust) Apr 7, 2026
dkane01 Credited to dkane01
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) High
CVE-2026-29181 was published for go.opentelemetry.io/otel/baggage (Go) Apr 7, 2026
1seal Credited to 1seal and XSAM XSAM XSAM
Apache Cassandra has an authenticated DoS over CQL Low
CVE-2026-32588 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution High
CVE-2026-34148 was published for @fedify/fedify (npm) Apr 7, 2026
wrathsec Credited to wrathsec
PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket High
GHSA-h6rj-3m53-887h was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
ArkadiaEU Credited to ArkadiaEU and dktapps dktapps dktapps
An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos... High Unreviewed
CVE-2025-54324 was published Apr 6, 2026
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos... Critical Unreviewed
CVE-2025-58349 was published Apr 6, 2026
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service... Moderate Unreviewed
CVE-2026-0049 was published Apr 6, 2026
An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos... High Unreviewed
CVE-2025-59440 was published Apr 6, 2026
strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions High
CVE-2026-35526 was published for strawberry-graphql (pip) Apr 6, 2026
JFOZ1010 Credited to JFOZ1010, patrick91, and bellini666 patrick91 patrick91
bellini666 bellini666
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits Moderate
CVE-2026-35441 was published for directus (npm) Apr 4, 2026
liyander Credited to liyander
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service High
CVE-2026-34824 was published for mesop (pip) Apr 3, 2026
tubadeligoz Credited to tubadeligoz
An issue in Dokuwiki v.2025-05-14b 'Librarian' allows a remote attacker to cause a denial of... High Unreviewed
CVE-2026-26477 was published Apr 3, 2026
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Moderate
GHSA-p464-m8x6-vhv8 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database