Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,980 advisories

Loading
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate Moderate
CVE-2026-40486 was published for kimai/kimai (Composer) Apr 15, 2026
udaypali Credited to udaypali
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf Critical
CVE-2026-40478 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Improper restriction of the scope of accessible objects in Thymeleaf expressions Critical
CVE-2026-40477 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
python-multipart affected by Denial of Service via large multipart preamble or epilogue data Moderate
CVE-2026-40347 was published for python-multipart (pip) Apr 15, 2026
HamdaanAliQuatil Credited to HamdaanAliQuatil and defnull defnull defnull
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins Moderate
CVE-2026-40346 was published for @nocobase/plugin-workflow-request (npm) Apr 15, 2026
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket Moderate
GHSA-xp4f-g2cm-rhg7 was published for pocketmine/pocketmine-mp (Composer) Apr 15, 2026
DrakzoSurYT Credited to DrakzoSurYT and dktapps dktapps dktapps
pypdf has long runtimes for wrong size values in cross-reference and object streams Moderate
GHSA-jj6c-8h6c-hppx was published for pypdf (pip) Apr 15, 2026
alpakalee Credited to alpakalee and stefan6419846 stefan6419846 stefan6419846
OpenRemote has XXE in Velbus Asset Import High
CVE-2026-40882 was published for io.openremote:openremote-manager (Maven) Apr 15, 2026
KKC73 Credited to KKC73
thin-vec: Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics High
GHSA-xphw-cqx3-667j was published for thin-vec (Rust) Apr 15, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header High
CVE-2026-33806 was published for fastify (npm) Apr 15, 2026
mcollina Credited to mcollina, climba03003, jsumners, and UlisesGascon climba03003 climba03003
jsumners jsumners UlisesGascon UlisesGascon
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex High
GHSA-pxq7-h93f-9jrg was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
rootxharsh Credited to rootxharsh
OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims Moderate
CVE-2026-40574 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
kodareef5 Credited to kodareef5
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache Moderate
GHSA-xmj9-7625-f634 was published for dev.dsf:dsf-bpe-process-api-v2 (Maven) Apr 15, 2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
GHSA-gj7p-595x-qwf5 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Sync-in Server has Username Enumeration via Timing Attack Moderate
GHSA-43fj-qp3h-hrh5 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
Defense in Depth update for NuGet Client Low
GHSA-g4vj-cjjj-v7hg was published for NuGet.CommandLine (NuGet) Apr 14, 2026
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
GHSA-2x79-gwq3-vxxm was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
Kiota: Code Generation Literal Injection High
GHSA-2hx3-vp6r-mg3f was published for kiota (NuGet) Apr 14, 2026
baywet Credited to baywet and gavinbarron gavinbarron gavinbarron
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
GHSA-66hx-chf7-3332 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
GHSA-95wr-3f2v-v2wh was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database