Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,827 advisories

Loading
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload High
CVE-2026-42154 was published for github.com/prometheus/prometheus (Go) May 5, 2026
ShadowByte1 Credited to ShadowByte1
Prometheus Azure AD remote write OAuth client secret exposed via config API High
CVE-2026-42151 was published for github.com/prometheus/prometheus (Go) May 5, 2026
brettgervasoni Credited to brettgervasoni
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository High
GHSA-fr8x-3vfx-f45h was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository High
GHSA-pg4w-g64p-qwhj was published for gitoxide (Rust) May 5, 2026
N0zoM1z0 Credited to N0zoM1z0
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data High
GHSA-x494-mj8g-cj27 was published for gix-pack (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules High
GHSA-f26g-jm89-4g65 was published for gix (Rust) May 5, 2026
gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure High
GHSA-p3hw-mv63-rf9w was published for gix (Rust) May 5, 2026
kodareef5 Credited to kodareef5
gix-transport: HTTP credentials leaked to redirected host in curl backend Moderate
GHSA-9857-6mw7-fq2m was published for gix-transport (Rust) May 5, 2026
sammiee5311 Credited to sammiee5311
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal Moderate
CVE-2026-43878 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content Moderate
CVE-2026-43877 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers Moderate
CVE-2026-43876 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover Moderate
CVE-2026-43875 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass High
CVE-2026-43874 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server High
CVE-2026-43873 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
PPTAgent: Arbitrary File Write via `save_generated_slides` Moderate
CVE-2026-42080 was published for pptagent (pip) May 5, 2026
Koukyosyumei Credited to Koukyosyumei
PPTAgent: Arbitrary Code Execution via Python eval() of LLM-Generated Code with Builtins in Scope High
CVE-2026-42079 was published for pptagent (pip) May 5, 2026
Koukyosyumei Credited to Koukyosyumei
PPTAgent: Arbitrary File Write + Directory Creation via markdown_table_to_image Moderate
CVE-2026-42078 was published for pptagent (pip) May 5, 2026
Koukyosyumei Credited to Koukyosyumei
S3-Proxy has Security Issues in its Resource Path Matching Implementation Critical
CVE-2026-42882 was published for github.com/oxyno-zeta/s3-proxy (Go) May 5, 2026
argos83 Credited to argos83
awslabs/tough is Missing Delegated Metadata Validation High
CVE-2026-6967 was published for tough (Rust) May 5, 2026
1seal Credited to 1seal
awslabs/tough Delegated Roles have a Signature Threshold Bypass High
CVE-2026-6966 was published for tough (Rust) May 5, 2026
1seal Credited to 1seal and emilyalbini emilyalbini emilyalbini
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes High
GHSA-cwj3-vqpp-pmxr was published for openclaw (npm) May 5, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution High
GHSA-r39h-4c2p-3jxp was published for openclaw (npm) May 5, 2026
Mirr2 Credited to Mirr2
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload Moderate
GHSA-q8ff-7ffm-m3r9 was published for openclaw (npm) May 5, 2026
feynman-hou Credited to feynman-hou
@workos/authkit-session has an Open Redirect via state-derived redirect target Moderate
CVE-2026-42565 was published for @workos/authkit-session (npm) May 5, 2026
kenkunz Credited to kenkunz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database