GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,624 advisories
Filter by severity
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Moderate
CVE-2026-49336
was published
for
@microsoft/kiota-http-fetchlibrary
(npm)
Jun 26, 2026
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Jun 26, 2026
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings
High
GHSA-7vfx-4246-jcfh
was published
for
solidinvoice/solidinvoice
(Composer)
Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction
High
CVE-2026-49287
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Moderate
CVE-2026-49359
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
High
CVE-2026-49286
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes
High
CVE-2026-47067
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has unbounded buffer accumulation in WebSocket
High
CVE-2026-47073
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CRLF / header injection in WebSocket upgrade request
Moderate
CVE-2026-47072
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CR/LF injection in query parameter
Moderate
CVE-2026-47075
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM
High
CVE-2026-47077
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body
Moderate
CVE-2026-47070
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host
Moderate
CVE-2026-47076
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CRLF / header injection via unvalidated `domain` and `path` options
Low
CVE-2026-47069
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: `ssl:connect/2` post-handshake upgrade has no timeout
High
CVE-2026-47071
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry
High
CVE-2026-47066
was published
for
hackney
(Erlang)
Jun 26, 2026
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
High
CVE-2026-49357
was published
for
line-desktop-mcp
(npm)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Moderate
CVE-2026-48995
was published
for
pnpm
(npm)
Jun 26, 2026
Cargo crates in third party registries can override the cached source of other crates
Moderate
CVE-2026-5223
was published
for
cargo
(Rust)
Jun 26, 2026
Cargo can be coerced to share credentials between registries
Low
CVE-2026-5222
was published
for
cargo
(Rust)
Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
High
CVE-2026-49260
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)
High
CVE-2026-49258
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API