Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,404 advisories

Loading
Deno: Denial of service via non-ASCII bytes in WebSocket response headers Moderate
CVE-2026-55517 was published for deno (Rust) Jun 17, 2026
snoopysecurity Credited to snoopysecurity
Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS) Moderate
CVE-2026-49401 was published for deno (Rust) Jun 16, 2026
tomasilluminati Credited to tomasilluminati
Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions Moderate
CVE-2026-49406 was published for deno (Rust) Jun 16, 2026
Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks Moderate
CVE-2026-49411 was published for deno (Rust) Jun 16, 2026
sugarless1101 Credited to sugarless1101
Deno: Miller-Rabin Primality Test Allows Zero Rounds High
CVE-2026-49440 was published for deno (Rust) Jun 16, 2026
HaoPham23 Credited to HaoPham23
Deno: Command Injection via spawnSync & spawn on Windows High
CVE-2026-49402 was published for deno (Rust) Jun 16, 2026
kejcao Credited to kejcao
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access Moderate
CVE-2026-49983 was published for deno (Rust) Jun 16, 2026
fallintoplace Credited to fallintoplace
Deno: WebSocket API sandbox bypass via missing post-DNS check Moderate
CVE-2026-49860 was published for deno (Rust) Jun 16, 2026
alcls01111 Credited to alcls01111
Deno: `fetch()` API sandbox bypass via missing DNS resolution check Moderate
CVE-2026-49859 was published for deno (Rust) Jun 16, 2026
alcls01111 Credited to alcls01111 and 7thParkk 7thParkk 7thParkk
PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures Moderate
GHSA-chgr-c6px-7xpp was published for pyo3 (Rust) Jun 12, 2026
PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators High
GHSA-36hh-v3qg-5jq4 was published for pyo3 (Rust) Jun 12, 2026
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds High
CVE-2026-48110 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input Moderate
CVE-2026-48108 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
Russh: Unchecked keyboard-interactive prompt count in client auth path Moderate
CVE-2026-48107 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
Routinator has cache path traversal when processing the module component of rsync URIs High
CVE-2026-49233 was published for routinator (Rust) Jun 8, 2026
Routinator crashes when sending a maliciously crafted select-asn query parameter High
CVE-2026-49234 was published for routinator (Rust) Jun 8, 2026
Routinator crashes when encountering maliciously crafted RRDP XML files High
CVE-2026-49235 was published for routinator (Rust) Jun 8, 2026
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction High
CVE-2026-47261 was published for wasmtime-wasi (Rust) Jun 5, 2026
shumbo Credited to shumbo
matrix-sdk-ui: Incomplete edit validation Moderate
CVE-2026-45057 was published for matrix-sdk-ui (Rust) Jun 4, 2026
Matrix Rust SDK: Sender-binding gaps in to-device and room-key attribution Moderate
CVE-2026-45056 was published for matrix-sdk-crypto (Rust) Jun 4, 2026
rattler has an entry-point path traversal in noarch:python install (arbitrary file write) Moderate
CVE-2026-47425 was published for py-rattler (pip) Jun 1, 2026
berkant-koc Credited to berkant-koc
russh server userauth state is not reset when authentication principal changes Moderate
CVE-2026-46705 was published for russh (Rust) May 29, 2026
mjc Credited to mjc
russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets High
CVE-2026-46702 was published for russh (Rust) May 29, 2026
mjc Credited to mjc
uv is vulnerable to arbitrary file write through entry point names Moderate
GHSA-4gg8-gxpx-9rph was published for uv (pip) May 29, 2026
zsol Credited to zsol and zanieb zanieb zanieb
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database