Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,938 advisories

Loading
Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL High
CVE-2026-25640 was published for pydantic-ai (pip) Feb 6, 2026
doredry urioren
amiteliahu
Credited to doredry, urioren, and amiteliahu
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK Critical
CVE-2026-25592 was published for Microsoft.SemanticKernel.Core (NuGet) Feb 6, 2026
doredry amiteliahu
urioren
Credited to doredry, amiteliahu, and urioren
SCEditor has DOM XSS via emoticon URL/HTML injection Moderate
CVE-2026-25581 was published for sceditor (npm) Feb 6, 2026
sofianeelhor
Credited to sofianeelhor
Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling High
CVE-2026-25580 was published for pydantic-ai (pip) Feb 6, 2026
YuvalElbar6 doredry
Credited to YuvalElbar6 and doredry
Gophish is vulnerable to Incorrect Access Control Moderate
CVE-2025-70963 was published for github.com/gophish/gophish (Go) Feb 6, 2026
Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering High
CVE-2025-13523 was published for github.com/mattermost/mattermost-plugin-confluence (Go) Feb 6, 2026
OpenSTAManager has a SQL Injection in the Prima Nota module High
CVE-2026-24419 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module High
CVE-2026-24418 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service High
CVE-2026-24417 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module High
CVE-2026-24416 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update High
CVE-2026-24135 was published for gogs.io/gogs (Go) Feb 6, 2026
reschjonas
Credited to reschjonas
Gogs has arbitrary file read/write via Path Traversal in Git hook editing Moderate
CVE-2026-23633 was published for gogs.io/gogs (Go) Feb 6, 2026
odgrso
Credited to odgrso
Gogs user can update repository content with read-only permission Moderate
CVE-2026-23632 was published for gogs.io/gogs (Go) Feb 6, 2026
odgrso
Credited to odgrso
Gogs has a Denial of Service issue Moderate
CVE-2026-22592 was published for gogs.io/gogs (Go) Feb 6, 2026
Neptunium931
Credited to Neptunium931
OpenSTAManager has a SQL Injection in Scadenzario Print Template High
CVE-2025-69216 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint) High
CVE-2025-69214 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has an OS Command Injection in P7M File Processing Critical
CVE-2025-69212 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
Gogs Vulnerable to 2FA Bypass via Recovery Code High
CVE-2025-64175 was published for gogs.io/gogs (Go) Feb 6, 2026
Gogs's update .git/config file allows remote command execution Critical
CVE-2025-64111 was published for gogs.io/gogs (Go) Feb 6, 2026
ROPShell
Credited to ROPShell
Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log Low
CVE-2026-1337 was published for org.neo4j:neo4j (Maven) Feb 6, 2026
Sliver Vulnerable to Website Path Traversal / Arbitrary File Read (Authenticated) Moderate
CVE-2026-25760 was published for github.com/bishopfox/sliver (Go) Feb 5, 2026
xtle0o0
Credited to xtle0o0
OpenFGA Improper Policy Enforcement Moderate
CVE-2026-24851 was published for github.com/openfga/openfga (Go) Feb 5, 2026
@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses Critical
CVE-2026-25641 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
cristianstaicu
Credited to cristianstaicu
OpenCloud Affected by Public Link Exploit High
GHSA-vf5j-r2hw-2hrw was published for github.com/opencloud-eu/opencloud (Go) Feb 5, 2026
rhafer aduffeck
dragotin micbar
Credited to rhafer, aduffeck, dragotin, and micbar
qdrant has arbitrary file write via `/logger` endpoint High
CVE-2026-25628 was published for qdrant (Rust) Feb 5, 2026
Ezzer17
Credited to Ezzer17
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database