GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,323
Maven
5,000+
npm
5,000+
NuGet
1,031
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,494
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,317 advisories
Filter by severity
ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation)
Low
CVE-2026-58196
was published
for
github.com/stacklok/toolhive
(Go)
Jul 15, 2026
adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files
Moderate
GHSA-xg43-5579-qw6v
was published
for
adawolfa/isdoc
(Composer)
Jul 15, 2026
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default
High
CVE-2026-54504
was published
for
@andrea9293/mcp-documentation-server
(npm)
Jul 15, 2026
systeminformation: OS command injection in networkInterfaces() via interfaces(5) source-directive path on Linux
High
CVE-2026-50289
was published
for
systeminformation
(npm)
Jul 15, 2026
Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback
High
CVE-2026-50285
was published
for
github.com/pomerium/pomerium
(Go)
Jul 15, 2026
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50276
was published
for
datadog
(RubyGems)
Jul 15, 2026
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50274
was published
for
github.com/DataDog/dd-trace-go
(Go)
Jul 15, 2026
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50273
was published
for
Datadog.Trace
(NuGet)
Jul 15, 2026
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50272
was published
for
dd-trace
(npm)
Jul 15, 2026
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50271
was published
for
ddtrace
(pip)
Jul 15, 2026
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50270
was published
for
com.datadoghq:dd-java-agent
(Maven)
Jul 15, 2026
ViewComponent: Reused Component Instances Retain Stale Render Context
Moderate
CVE-2026-54497
was published
for
view_component
(RubyGems)
Jul 15, 2026
ViewComponent: around_render HTML-Safety Bypass
High
CVE-2026-54498
was published
for
view_component
(RubyGems)
Jul 15, 2026
open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters
Moderate
CVE-2026-54495
was published
for
github.com/open-feature/open-feature-operator
(Go)
Jul 15, 2026
django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization
High
GHSA-r3hx-x5rh-p9vv
was published
for
django-haystack
(pip)
Jul 15, 2026
serde_with: KeyValueMap serialization panics on empty sequence or map entries
Moderate
GHSA-7gcf-g7xr-8hxj
was published
for
serde_with
(Rust)
Jul 15, 2026
websocket-driver: Resource limit bypass via message compression
Moderate
CVE-2026-54490
was published
for
websocket-driver
(npm)
Jul 15, 2026
websocket-driver: Message corruption via abuse of protocol length headers
Critical
CVE-2026-54466
was published
for
websocket-driver
(npm)
Jul 15, 2026
websocket-driver: Memory exhaustion in HTTP header parser
Moderate
CVE-2026-54465
was published
for
websocket-driver
(RubyGems)
Jul 15, 2026
websocket-driver: Resource limit bypass via message compression
Moderate
CVE-2026-54464
was published
for
websocket-driver
(RubyGems)
Jul 15, 2026
websocket-driver: Memory exhaustion via abuse of protocol length headers
Moderate
CVE-2026-54463
was published
for
websocket-driver
(RubyGems)
Jul 15, 2026
Pixeldrain API key shared with unverified thirdparty sites
Moderate
CVE-2026-54254
was published
for
cyberdrop-dl-patched
(pip)
Jul 15, 2026
TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
High
CVE-2026-54457
was published
for
tensorzero
(pip)
Jul 15, 2026
safeurl is Missing IPv6 CIDR Ranges in Blocklist
Moderate
CVE-2026-54452
was published
for
github.com/doyensec/safeurl
(Go)
Jul 15, 2026
FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data
Moderate
CVE-2026-53656
was published
for
fiftyone
(pip)
Jul 15, 2026
ProTip!
Advisories are also available from the
GraphQL API