Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,044
Maven
5,000+
npm
4,783
NuGet
825
pip
4,382
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,445 advisories

Loading
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata Moderate
CVE-2026-25734 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting High
CVE-2026-3105 was published for mautic/core (Composer) Feb 25, 2026
q1uf3ng Credited to q1uf3ng and patrykgruszka patrykgruszka patrykgruszka
ImageMagick has a heap Buffer Over-read in its DJVU image format handler Moderate
CVE-2026-27799 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images Moderate
CVE-2026-27798 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ylwango613 Credited to ylwango613
hexchat crate has a Use After Free vulnerability High
GHSA-x43w-ph7m-pfjx was published for hexchat (Rust) Feb 25, 2026
CIRCL has an incorrect calculation in secp384r1 CombinedMult Low
CVE-2026-1229 was published for github.com/cloudflare/circl (Go) Feb 25, 2026
ImageMagick: Heap-based Buffer Overflow in GetPixelIndex due to metadata-cache desynchronization Low
GHSA-gq5v-qf8q-fp77 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ylwango613 Credited to ylwango613
ImageMagick: Memory Leak in multiple coders that write raw pixel data Low
GHSA-wfx3-6g53-9fgc was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ylwango613 Credited to ylwango613
ImageMagick: Memory leak in coders/txt.c without freetype Low
GHSA-3q5f-gmjc-38r8 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
unbengable12 Credited to unbengable12
ImageMagick: SVG-to-MVG Command Injection via coders/svg.c Low
GHSA-xpg8-7m6m-jf56 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
phenggeler Credited to phenggeler
ImageMagick: Malicious PCD files trigger 1‑byte heap Out-of-bounds Read and DoS Low
GHSA-wgxp-q8xq-wpp9 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ylwango613 Credited to ylwango613
mageMagick has a possible use-after-free write in its PDB decoder Low
GHSA-3j4x-rwrx-xxj9 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
zerojackyi Credited to zerojackyi
ImageMagick has a possible heap Use After Free vulnerability in its meta coder Low
GHSA-2gq3-ww97-wfjm was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ylwango613 Credited to ylwango613
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type Low
GHSA-6j87-m5qx-9fqp was published for craftcms/cms (Composer) Feb 25, 2026
mHe4am Credited to mHe4am
changedetection.io is Vulnerable to SSRF via Watch URLs High
CVE-2026-27696 was published for changedetection.io (pip) Feb 25, 2026
route2shell Credited to route2shell
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response Moderate
CVE-2026-27645 was published for changedetection.io (pip) Feb 25, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection Critical
CVE-2026-27641 was published for flask-reuploaded (pip) Feb 25, 2026
cjaron03 Credited to cjaron03
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions High
CVE-2026-27610 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint High
CVE-2026-27609 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza
Parse Dashboard is Missing Authorization for its Agent Endpoint Critical
CVE-2026-27608 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza and ByamB4 ByamB4 ByamB4
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function High
CVE-2026-25733 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) Critical
CVE-2026-27702 was published for budibase (npm) Feb 25, 2026
vicevirus Credited to vicevirus
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php High
CVE-2026-27732 was published for wwbn/avideo (Composer) Feb 25, 2026
arkmarta Credited to arkmarta
Rucio WebUI has Username Enumeration via Login Error Message Moderate
CVE-2026-25138 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability High
CVE-2026-25136 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database