Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
pyLoad: Improper Neutralization of Special Elements used in an OS Command High
CVE-2026-35463 was published for pyload-ng (pip) Apr 4, 2026
axel-corsiez Credited to axel-corsiez
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) Critical
CVE-2026-35459 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling Moderate
GHSA-5hr4-253g-cpx2 was published for web3 (pip) Apr 4, 2026
Nadav0077 Credited to Nadav0077
libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion High
CVE-2026-35457 was published for libp2p-rendezvous (Rust) Apr 4, 2026
failuresmith Credited to failuresmith
libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers High
CVE-2026-35405 was published for libp2p-rendezvous (Rust) Apr 4, 2026
SilentSobs Credited to SilentSobs
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
GHSA-9jpj-g8vv-j5mf was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
Code Extension Marketplace: Zip Slip Path Traversal High
CVE-2026-35454 was published for github.com/coder/code-marketplace (Go) Apr 4, 2026
vamsik2k5 Credited to vamsik2k5
defu: Prototype pollution via `__proto__` key in defaults argument High
CVE-2026-35209 was published for defu (npm) Apr 4, 2026
BlackHatExploitation Credited to BlackHatExploitation and kricsleo kricsleo kricsleo
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php Moderate
CVE-2026-35452 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php Moderate
CVE-2026-35450 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php Moderate
CVE-2026-35449 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php Low
CVE-2026-35448 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass High
CVE-2026-30762 was published for lightrag-hku (pip) Apr 4, 2026
Venkatatadu Credited to Venkatatadu
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits Moderate
CVE-2026-35441 was published for directus (npm) Apr 4, 2026
liyander Credited to liyander
Directus: Sensitive fields exposed in revision history Moderate
GHSA-mvv8-v4jj-g47j was published for directus (npm) Apr 4, 2026
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite High
CVE-2026-35412 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import High
CVE-2026-35409 was published for directus (npm) Apr 4, 2026
alissonbezerra Credited to alissonbezerra and odgrso odgrso odgrso
Directus: GraphQL Schema SDL Disclosure Setting Moderate
CVE-2026-35413 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research and odgrso odgrso odgrso
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Directus: Open Redirect in Admin 2FA Setup Page Moderate
CVE-2026-35411 was published for directus (npm) Apr 4, 2026
ComfortablyCoding Credited to ComfortablyCoding, Akokonunes, and neo-ai-engineer Akokonunes Akokonunes
neo-ai-engineer neo-ai-engineer
Directus: Path Traversal and Broken Access Control in File Management API High
GHSA-393c-p46r-7c95 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database