加载中...
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,891
Maven
5,000+
npm
4,552
NuGet
786
pip
4,287
Pub
12
RubyGems
979
Rust
1,110
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,792 advisories

Loading
PrestaShop affected by time based enumeration in FO login form Moderate
GHSA-67v7-3g49-mxh2 was published for prestashop/prestashop (Composer) Feb 3, 2026
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
Qwik City Open Redirect via fixTrailingSlash Low
CVE-2026-25149 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen
Credited to wodzen
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation Moderate
CVE-2026-25151 was published for @builder.io/qwik-city (npm) Feb 3, 2026
KageShiron
Credited to KageShiron
Prototype Pollution via FormData Processing in Qwik City Critical
CVE-2026-25150 was published for @builder.io/qwik-city (npm) Feb 3, 2026
yueyueL
Credited to yueyueL
Qwik SSR XSS via Unsafe Virtual Node Serialization Moderate
CVE-2026-25148 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen
Credited to wodzen
@isaacs/brace-expansion has Uncontrolled Resource Consumption Critical
GHSA-7h2j-956f-4vf2 was published for @isaacs/brace-expansion (npm) Feb 3, 2026
Jvr2022
Credited to Jvr2022
Claude Code has a Command Injection in find Command Bypasses User Approval Prompt High
CVE-2026-24887 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
Cluade Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes High
CVE-2026-24053 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
HtmlSanitizer has a bypass via template tag Moderate
CVE-2026-25543 was published for HtmlSanitizer (NuGet) Feb 3, 2026
nsysean
Credited to nsysean
bytes has integer overflow in BytesMut::reserve Moderate
CVE-2026-25541 was published for bytes (Rust) Feb 3, 2026
ksj1230 Darksonn
seanmonstar
Credited to ksj1230, Darksonn, and seanmonstar
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains High
CVE-2026-24052 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
OpenSTAManager has an SQL Injection in the Stampe Module High
CVE-2025-69215 was published for devcode-it/openstamanager (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
jsonwebtoken has Type Confusion that leads to potential authorization bypass Moderate
CVE-2026-25537 was published for jsonwebtoken (Rust) Feb 3, 2026
Kr1shna4garwal
Credited to Kr1shna4garwal
OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint) High
CVE-2025-69213 was published for devcode-it/openstamanager (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing Moderate
CVE-2026-1664 was published for agents (npm) Feb 3, 2026
Wagtail has improper permission handling on admin preview endpoints Moderate
CVE-2026-25517 was published for wagtail (pip) Feb 3, 2026
thxtech gasman
RealOrangeOne laymonage
Credited to thxtech, gasman, RealOrangeOne, and laymonage
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
Apache Syncope: Console XXE on Keymaster parameters Moderate
CVE-2026-23795 was published for org.apache.syncope.client.idrepo:syncope-client-idrepo-console (Maven) Feb 3, 2026
Apache Syncope: Reflected XSS on Enduser Login Moderate
CVE-2026-23794 was published for org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (Maven) Feb 3, 2026
FacturaScripts has SQL Injection in Autocomplete Actions High
CVE-2026-25514 was published for facturascripts/facturascripts (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
FacturaScripts has SQL Injection in API ORDER BY Clause High
CVE-2026-25513 was published for facturascripts/facturascripts (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
JinJava Bypass through ForTag leads to Arbitrary Java Execution Critical
CVE-2026-25526 was published for com.hubspot.jinjava:jinjava (Maven) Feb 3, 2026
twilliamson-an akues-an
jasmith-hs
Credited to twilliamson-an, akues-an, and jasmith-hs
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write Critical
CVE-2025-64712 was published for unstructured (pip) Feb 3, 2026
Compressing Vulnerable to Arbitrary File Write via Symlink Extraction High
CVE-2026-24884 was published for compressing (npm) Feb 3, 2026
Heeqw
Credited to Heeqw
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database