close
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
975
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31,640 advisories

Loading
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json` Low
GHSA-rq7w-g337-39qq was published for nuxt (npm) Jun 15, 2026
manop55555 Credited to manop55555
aws-cdk-lib: OS Command Injection in NodejsFunction Bundling High
CVE-2026-11417 was published for aws-cdk-lib (npm) Jun 15, 2026
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature Moderate
CVE-2026-50560 was published for io.netty:netty-codec-http2 (Maven) Jun 15, 2026
ashleytolbert Credited to ashleytolbert
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted Moderate
CVE-2026-50020 was published for io.netty:netty-codec-http (Maven) Jun 15, 2026
chrisvest Credited to chrisvest
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length High
CVE-2026-50011 was published for io.netty:netty-codec-redis (Maven) Jun 15, 2026
violetagg Credited to violetagg
Netty: Wrapping plain trust manager silently disables hostname verification High
CVE-2026-50010 was published for io.netty:netty-handler (Maven) Jun 15, 2026
Netty: QUIC stateless reset token material exposed through header-visible connection IDs Moderate
CVE-2026-50009 was published for io.netty:netty-codec-classes-quic (Maven) Jun 15, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion High
CVE-2026-48748 was published for io.netty:netty-codec-http3 (Maven) Jun 15, 2026
violetagg Credited to violetagg
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations Moderate
CVE-2026-48988 was published for markdown-it (npm) Jun 15, 2026
tndud042713 Credited to tndud042713
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS High
CVE-2026-54283 was published for starlette (pip) Jun 15, 2026
EthanKim88 Credited to EthanKim88, Z-Bra0, Moaaz-0x, moizxsec, aest3ra, and oxqnd Z-Bra0 Z-Bra0
Moaaz-0x Moaaz-0x moizxsec moizxsec aest3ra aest3ra oxqnd oxqnd
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-54285 was published for @opentelemetry/core (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot, pichlermarc, trentm, and arminru pichlermarc pichlermarc
trentm trentm arminru arminru
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname Low
CVE-2026-54282 was published for Starlette (pip) Jun 15, 2026
nic-lovin Credited to nic-lovin
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse Moderate
GHSA-pw6j-qg29-8w7f was published for tornado (pip) Jun 15, 2026
Nest: Middleware Bypass on Fastify via Trailing Slash High
CVE-2026-54281 was published for @nestjs/platform-fastify (npm) Jun 15, 2026
a-tt-om Credited to a-tt-om and kamilmysliwiec kamilmysliwiec kamilmysliwiec
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service High
CVE-2026-53539 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory Low
CVE-2026-53540 was published for python-multipart (pip) Jun 15, 2026
lullu57 Credited to lullu57 and seok-hee97 seok-hee97 seok-hee97
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters Low
CVE-2026-53537 was published for python-multipart (pip) Jun 15, 2026
0xkakash1 Credited to 0xkakash1 and sammiee5311 sammiee5311 sammiee5311
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow Critical
CVE-2026-54257 was published for electron (npm) Jun 15, 2026
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb) High
CVE-2026-49855 was published for tornado (pip) Jun 15, 2026
yuui25 Credited to yuui25
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows High
CVE-2026-48818 was published for starlette (pip) Jun 15, 2026
nvn1729 Credited to nvn1729
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` Moderate
CVE-2026-48817 was published for starlette (pip) Jun 15, 2026
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` Moderate
CVE-2026-48125 was published for ua-parser-js (npm) Jun 15, 2026
sondt99 Credited to sondt99
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names High
CVE-2026-54271 was published for protobufjs-cli (npm) Jun 15, 2026
JacobBrackett Credited to JacobBrackett and dcodeIO dcodeIO dcodeIO
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database