Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

3,635 advisories

Loading
yard: Possible arbitrary path traversal and file access via yard server Moderate
CVE-2026-41493 was published for yard (RubyGems) Apr 17, 2026
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta Moderate
CVE-2026-47121 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
uv is vulnerable to arbitrary file write through entry point names Moderate
GHSA-4gg8-gxpx-9rph was published for uv (pip) May 29, 2026
zsol Credited to zsol and zanieb zanieb zanieb
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
An improper validation of the search parameter of the com_media files API endpoint leads to a... Moderate Unreviewed
CVE-2026-40384 was published May 26, 2026
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An... Moderate Unreviewed
CVE-2026-33462 was published May 28, 2026
Shamefile has an arbitrary file read via shamefile.yaml in shame next Moderate
CVE-2026-47144 was published for shamefile (npm) May 28, 2026
BKDDFS Credited to BKDDFS
compliance-trestle Profile Import has an Arbitrary File Read via trestle:// URI and Relative Path Traversal Moderate
CVE-2026-45774 was published for compliance-trestle (pip) May 28, 2026
AnistoMejin Credited to AnistoMejin and yantongggg yantongggg yantongggg
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username Moderate
CVE-2026-45309 was published for asyncssh (pip) May 27, 2026
0xHunSec Credited to 0xHunSec
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed... Moderate Unreviewed
CVE-2026-9035 was published May 27, 2026
When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is... Moderate Unreviewed
CVE-2026-41009 was published May 27, 2026
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting... Moderate Unreviewed
CVE-2026-41917 was published May 26, 2026
A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and... Moderate Unreviewed
CVE-2026-9550 was published May 26, 2026
Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path... Moderate Unreviewed
CVE-2026-41863 was published May 26, 2026
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This... Moderate Unreviewed
CVE-2026-9351 was published May 26, 2026
Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain... Moderate Unreviewed
CVE-2026-36227 was published May 26, 2026
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, aThorp96, and waveywaves vdemeester vdemeester
aThorp96 aThorp96 waveywaves waveywaves
Rust OneNote File Parser: Path traversal in `Parser::parse_notebook` allows reading files outside the notebook directory Moderate
CVE-2026-46671 was published for onenote_parser (Rust) May 21, 2026
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing Moderate
CVE-2026-46486 was published for mvt (pip) May 21, 2026
Improper Input Validation vulnerability in İzmir Katip Çelebi University University Information... Moderate Unreviewed
CVE-2023-6190 was published Dec 27, 2023
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path... Moderate Unreviewed
CVE-2026-24208 was published May 20, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper... Moderate Unreviewed
CVE-2026-31379 was published May 19, 2026
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in... Moderate Unreviewed
CVE-2026-29220 was published May 19, 2026
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path Moderate
CVE-2026-46338 was published for pymdown-extensions (pip) May 19, 2026
gistrec Credited to gistrec
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` Moderate
CVE-2026-46337 was published for WWBN/AVideo (Composer) May 19, 2026
pr3ungdt Credited to pr3ungdt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database