豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,215 advisories

Loading
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart High
GHSA-533q-w4g6-5586 was published for psitransfer (npm) Apr 16, 2026
pyuysig Credited to pyuysig
Mojic: Observable Timing Discrepancy in HMAC Verification Moderate
GHSA-wqq3-wfmp-v85g was published for mojic (npm) Apr 16, 2026
notamitgamer2 Credited to notamitgamer2 and notamitgamer notamitgamer notamitgamer
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes Moderate
GHSA-jhm7-29pj-4xvf was published for @node-oauth/oauth2-server (npm) Apr 16, 2026
KarimTantawey Credited to KarimTantawey, jankapunkt, and dhensby jankapunkt jankapunkt
dhensby dhensby
ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents Critical
CVE-2026-40324 was published for HotChocolate.Language (NuGet) Apr 16, 2026
BZHunt Credited to BZHunt
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing High
CVE-2026-40303 was published for github.com/openziti/zrok (Go) Apr 16, 2026
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Moderate
CVE-2026-40256 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and M9nx M9nx M9nx
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements Moderate
CVE-2026-40186 was published for sanitize-html (npm) Apr 16, 2026
offset Credited to offset
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints Critical
CVE-2026-40173 was published for github.com/dgraph-io/dgraph (Go) Apr 16, 2026
komi22 Credited to komi22
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions Moderate
CVE-2026-39857 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
Weblate: SSRF via the webhook add-on using unprotected fetch_url() Moderate
CVE-2026-39845 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots Moderate
CVE-2026-39350 was published for istio.io/istio (Go) Apr 16, 2026
Wernerina Credited to Wernerina
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport High
CVE-2026-39313 was published for mcp-framework (npm) Apr 16, 2026
razashariff Credited to razashariff
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS High
CVE-2026-35569 was published for apostrophe (npm) Apr 16, 2026
Chittu13 Credited to Chittu13
SpdyStream: DOS on CRI High
CVE-2026-35469 was published for github.com/moby/spdystream (Go) Apr 16, 2026
Weblate: Privilege escalation in the user API endpoint High
CVE-2026-34393 was published for weblate (pip) Apr 16, 2026
tikket1 Credited to tikket1, nijel, and DavidCarliez nijel nijel
DavidCarliez DavidCarliez
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context Moderate
CVE-2026-33889 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API Moderate
CVE-2026-33888 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint Low
CVE-2026-33877 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads Moderate
CVE-2026-33440 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database