Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
57
GitHub Actions
50
Go
3,767
Maven
5,000+
npm
5,000+
NuGet
937
pip
4,999
Pub
13
RubyGems
1,058
Rust
1,347
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30 advisories

Loading
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits Moderate
CVE-2026-44309 was published for github.com/sigstore/gitsign (Go) May 8, 2026
bugbunny-research Credited to bugbunny-research
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers Moderate
CVE-2026-44310 was published for github.com/sigstore/gitsign (Go) May 8, 2026
bugbunny-research Credited to bugbunny-research
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response Moderate
CVE-2026-40293 was published for github.com/openfga/openfga (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit High
CVE-2026-27806 was published for github.com/fleetdm/fleet/v4 (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision Moderate
CVE-2026-34972 was published for github.com/openfga/openfga (Go) Apr 7, 2026
bugbunny-research Credited to bugbunny-research
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite High
CVE-2026-35412 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: GraphQL Schema SDL Disclosure Setting Moderate
CVE-2026-35413 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research and odgrso odgrso odgrso
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
lodash vulnerable to Code Injection via `_.template` imports key names High
CVE-2026-4800 was published for lodash (npm) Apr 1, 2026
dolevmiz1 Credited to dolevmiz1, bugbunny-research, M0nd0R, UlisesGascon, falsyvalues, jonchurch, threalwinky, and jdalton bugbunny-research bugbunny-research
M0nd0R M0nd0R UlisesGascon UlisesGascon falsyvalues falsyvalues jonchurch jonchurch threalwinky threalwinky jdalton jdalton
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value Moderate
CVE-2026-34595 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
Parse Server has a session field immutability bypass via falsy-value guard Moderate
CVE-2026-34574 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
parse-server has GraphQL complexity validator exponential fragment traversal DoS High
CVE-2026-34573 was published for parse-server (npm) Mar 31, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy High
CVE-2026-33039 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments High
CVE-2026-33038 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
Shopware has user enumeration via distinct error codes on Store API login endpoint Moderate
CVE-2026-31888 was published for shopware/core (Composer) Mar 11, 2026
bugbunny-research Credited to bugbunny-research
@appium/support has a Zip Slip arbitrary file write in its ZIP extraction Moderate
CVE-2026-30973 was published for @appium/support (npm) Mar 11, 2026
bugbunny-research Credited to bugbunny-research
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port High
CVE-2026-29093 was published for wwbn/avideo (Composer) Mar 5, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database