Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,040
Maven
5,000+
npm
4,781
NuGet
825
pip
4,382
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,436 advisories

Loading
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode Moderate
CVE-2026-27638 was published for @actual-app/sync-server (npm) Feb 27, 2026
q1uf3ng Credited to q1uf3ng
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
Angular i18n vulnerable to Cross-Site Scripting High
CVE-2026-27970 was published for @angular/core (npm) Feb 27, 2026
AndrewKushnir Credited to AndrewKushnir, josephperrott, alan-agius4, and dgp1130 josephperrott josephperrott
alan-agius4 alan-agius4 dgp1130 dgp1130
Vitess users with backup storage access can write to arbitrary file paths on restore Critical
CVE-2026-27969 was published for vitess.io/vitess (Go) Feb 27, 2026
NeuroWinter Credited to NeuroWinter
AWS CLI: cli_history database does not restrict file permissions on Unix systems Moderate
GHSA-747p-wmpv-9c78 was published for awscli (pip) Feb 27, 2026
Langflow has Remote Code Execution in CSV Agent Critical
CVE-2026-27966 was published for langflow (pip) Feb 27, 2026
weblover12 Credited to weblover12, andifilhohub, and Adam-Aghili andifilhohub andifilhohub
Adam-Aghili Adam-Aghili
Vitess users with backup storage access can gain unauthorized access to production deployment environments High
CVE-2026-27965 was published for vitess.io/vitess (Go) Feb 26, 2026
NeuroWinter Credited to NeuroWinter
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations Moderate
CVE-2026-22728 was published for github.com/bitnami-labs/sealed-secrets (Go) Feb 26, 2026
1seal Credited to 1seal
Curio exposes database credentials to users with network access through verbose HTTP error responses High
GHSA-gj6x-q8rh-wj6x was published for github.com/filecoin-project/curio (Go) Feb 26, 2026
n8n has Webhook Forgery on Zendesk Trigger Node Moderate
GHSA-38c7-23hj-2wgq was published for n8n (npm) Feb 26, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n has a Guardrail Node Bypass Moderate
GHSA-fvfv-ppw4-7h2w was published for n8n (npm) Feb 26, 2026
akirilov Credited to akirilov
n8n has an Authentication Bypass in its Chat Trigger Node Moderate
GHSA-jh8h-6c9q-7gmw was published for n8n (npm) Feb 26, 2026
sm1ee Credited to sm1ee
n8n has an SSO Enforcement Bypass in its Self-Service Settings API Moderate
GHSA-vjf3-2gpj-233v was published for n8n (npm) Feb 26, 2026
stanislavfortaisle Credited to stanislavfortaisle
Koa has Host Header Injection via ctx.hostname High
CVE-2026-27959 was published for koa (npm) Feb 26, 2026
p80n-sec Credited to p80n-sec
Copyparty vulnerable to reflected XSS via setck parameter Moderate
CVE-2026-27948 was published for copyparty (pip) Feb 26, 2026
iiDk-the-actual Credited to iiDk-the-actual
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder Low
CVE-2026-27942 was published for fast-xml-parser (npm) Feb 26, 2026
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers Moderate
CVE-2026-27902 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and maksyche KarimPwnz KarimPwnz
maksyche maksyche
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` Moderate
CVE-2026-27901 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and KarimPwnz KarimPwnz KarimPwnz
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level High
CVE-2026-27899 was published for github.com/h44z/wg-portal (Go) Feb 26, 2026
gregtuc Credited to gregtuc
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity High
CVE-2026-27896 was published for github.com/modelcontextprotocol/go-sdk (Go) Feb 26, 2026
anaximand3r Credited to anaximand3r
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup Moderate
CVE-2026-27839 was published for wger (pip) Feb 26, 2026
ByamB4 Credited to ByamB4
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data Low
CVE-2026-27838 was published for wger (pip) Feb 26, 2026
ByamB4 Credited to ByamB4
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data Moderate
CVE-2026-27835 was published for wger (pip) Feb 26, 2026
ByamB4 Credited to ByamB4
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments High
CVE-2026-27903 was published for minimatch (npm) Feb 26, 2026
dolevmiz1 Credited to dolevmiz1
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions High
CVE-2026-27904 was published for minimatch (npm) Feb 26, 2026
dolevmiz1 Credited to dolevmiz1
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database