Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,421 advisories

Loading
Cargo crates in third party registries can override the cached source of other crates Moderate
CVE-2026-5223 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, emilyalbini, cuviper, and Manishearth arlosi arlosi
emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
Cargo can be coerced to share credentials between registries Low
CVE-2026-5222 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, weihanglo, ehuss, emilyalbini, cuviper, and Manishearth arlosi arlosi
weihanglo weihanglo ehuss ehuss emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-48504 was published for opentelemetry_sdk (Rust) Jun 25, 2026
tonghuaroot Credited to tonghuaroot and lalitb lalitb lalitb
fixurjavainstall: Previous Fuji versions can accidentally wipe `/usr/share/man/man8` Low
GHSA-fq3w-p4fg-mw73 was published for fixurjavainstall (Rust) Jun 25, 2026
EpicVon2468 Credited to EpicVon2468
Mise's local credential_command executes untrusted config Moderate
CVE-2026-55448 was published for mise (Rust) Jun 23, 2026
kq5y Credited to kq5y
Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository High
CVE-2026-55441 was published for mise (Rust) Jun 23, 2026
0xzap Credited to 0xzap
mise HTTP backend uses raw version path for install symlink destination Moderate
CVE-2026-54557 was published for mise (Rust) Jun 23, 2026
mosskappa Credited to mosskappa
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery High
GHSA-74p7-6h78-gw8p was published for skillctl (Rust) Jun 22, 2026
Mise Vulnerable to Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass) Critical
CVE-2026-33646 was published for mise (Rust) Jun 22, 2026
SurrealDB: Denial of Service via deep operator chains Moderate
GHSA-jv2j-mqmw-xvv5 was published for surrealdb (Rust) Jun 19, 2026
SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals Moderate
GHSA-hv6h-hc26-q48p was published for surrealdb (Rust) Jun 19, 2026
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field Moderate
GHSA-h4h3-3rfj-x6fq was published for surrealdb (Rust) Jun 19, 2026
geo-chen Credited to geo-chen
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter High
GHSA-cc8f-fcx3-gpjr was published for surrealdb (Rust) Jun 19, 2026
kah-ja Credited to kah-ja
SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch Moderate
GHSA-h5rg-8p7f-47g2 was published for surrealdb (Rust) Jun 19, 2026
Pig-Tail Credited to Pig-Tail
Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions Moderate
CVE-2026-11941 was published for quiche (Rust) Jun 19, 2026
LPardue Credited to LPardue
tract: Arbitrary file read via unsanitized ONNX external_data `location` (path traversal) on model load in tract-onnx Moderate
CVE-2026-55832 was published for tract-onnx (Rust) Jun 19, 2026
yannsar Credited to yannsar
tract-nnef: integer overflow in NNEF `.dat` tensor parser yields an out-of-bounds read on model load Moderate
CVE-2026-55093 was published for tract-nnef (Rust) Jun 18, 2026
s1ko Credited to s1ko
Deno: Denial of service via non-ASCII bytes in WebSocket response headers Moderate
CVE-2026-55517 was published for deno (Rust) Jun 17, 2026
snoopysecurity Credited to snoopysecurity
Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS) Moderate
CVE-2026-49401 was published for deno (Rust) Jun 16, 2026
tomasilluminati Credited to tomasilluminati
Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions Moderate
CVE-2026-49406 was published for deno (Rust) Jun 16, 2026
Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks Moderate
CVE-2026-49411 was published for deno (Rust) Jun 16, 2026
sugarless1101 Credited to sugarless1101
Deno: Miller-Rabin Primality Test Allows Zero Rounds High
CVE-2026-49440 was published for deno (Rust) Jun 16, 2026
HaoPham23 Credited to HaoPham23
Deno: Command Injection via spawnSync & spawn on Windows High
CVE-2026-49402 was published for deno (Rust) Jun 16, 2026
kejcao Credited to kejcao
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access Moderate
CVE-2026-49983 was published for deno (Rust) Jun 16, 2026
fallintoplace Credited to fallintoplace
Deno: WebSocket API sandbox bypass via missing post-DNS check Moderate
CVE-2026-49860 was published for deno (Rust) Jun 16, 2026
alcls01111 Credited to alcls01111
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database