Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,875
Maven
5,000+
npm
4,501
NuGet
780
pip
4,254
Pub
12
RubyGems
975
Rust
1,099
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,622 advisories

Loading
seroval Affected by Remote Code Execution via JSON Deserialization High
CVE-2026-23737 was published for seroval (npm) Jan 21, 2026
GabbeV tweidinger
lxsmnsyc
Credited to GabbeV, tweidinger, and lxsmnsyc
seroval Affected by Prototype Pollution via JSON Deserialization High
CVE-2026-23736 was published for seroval (npm) Jan 21, 2026
lxsmnsyc tweidinger
Credited to lxsmnsyc and tweidinger
Laravel Redis Horizontal Scaling Insecure Deserialization Critical
CVE-2026-23524 was published for laravel/reverb (Composer) Jan 21, 2026
m0h4mmad
Credited to m0h4mmad
Apache Solr: Insufficient file-access checking in standalone core-creation requests High
CVE-2026-22444 was published for org.apache.solr:solr-core (Maven) Jan 21, 2026
Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin High
CVE-2026-22022 was published for org.apache.solr:solr-core (Maven) Jan 21, 2026
Keycloak Admin REST API exposes backend schema and rules Low
CVE-2025-14083 was published for org.keycloak:keycloak-services (Maven) Jan 21, 2026
Keycloak services allows the issuance of access and refresh tokens for disabled users Moderate
CVE-2025-14559 was published for org.keycloak:keycloak-services (Maven) Jan 21, 2026
Keycloak does not validate and update refresh token usage atomically Low
CVE-2026-1035 was published for org.keycloak:keycloak-services (Maven) Jan 21, 2026
ImageMagick has a NULL pointer dereference in MSL parser via <comment> tag before image load Moderate
CVE-2026-23952 was published for Magick.NET-Q16-AnyCPU (NuGet) Jan 21, 2026
OwenSanzas
Credited to OwenSanzas
ImageMagick has a Memory Leak in LoadOpenCLDeviceBenchmark() when parsing malformed XML Moderate
GHSA-qp59-x883-77qv was published for Magick.NET-Q16-AnyCPU (NuGet) Jan 21, 2026
Keryer
Credited to Keryer
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS High
CVE-2026-23950 was published for tar (npm) Jan 21, 2026
tomasilluminati
Credited to tomasilluminati
ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript Moderate
CVE-2026-23874 was published for Magick.NET-Q16-AnyCPU (NuGet) Jan 21, 2026
OwenSanzas
Credited to OwenSanzas
Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash Moderate
CVE-2026-23886 was published for github.com/swift-otel/swift-otel (Swift) Jan 21, 2026
czechboy0 slashmo
Credited to czechboy0 and slashmo
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper Moderate
CVE-2026-23885 was published for alchemy_cms (RubyGems) Jan 21, 2026
TheDeepOpc tvdeyen
Credited to TheDeepOpc and tvdeyen
ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component Moderate
CVE-2026-23833 was published for esphome (pip) Jan 21, 2026
Mat931
Credited to Mat931
Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user Moderate
CVE-2026-23877 was published for swingmusic (pip) Jan 21, 2026
d-virtuosa
Credited to d-virtuosa
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login Moderate
CVE-2026-23849 was published for github.com/filebrowser/filebrowser (Go) Jan 21, 2026
GUCHIHACKER hacdias
Credited to GUCHIHACKER and hacdias
SiYuan vulnerable to Arbitrary file Read / SSRF High
CVE-2026-23850 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
abdoghazy2015 xtromera
A-Z4ki
Credited to abdoghazy2015, xtromera, and A-Z4ki
SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality High
CVE-2026-23851 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API Moderate
CVE-2026-23845 was published for github.com/axllent/mailpit (Go) Jan 21, 2026
mdisec omarkurt
Credited to mdisec and omarkurt
Orval has a code injection via unsanitized x-enum-descriptions in enum generation Critical
CVE-2026-23947 was published for @orval/core (npm) Jan 21, 2026
k14uz ZipJo
Credited to k14uz and ZipJo
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon Low
CVE-2026-23847 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation Moderate
CVE-2026-21852 was published for @anthropic-ai/claude-code (npm) Jan 21, 2026
Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy` High
GHSA-8h3q-9fpp-c883 was published for wrangler (npm) Jan 21, 2026 withdrawn
binary-parser library has a code injection vulnerability Moderate
CVE-2026-1245 was published for binary-parser (npm) Jan 20, 2026
sei-vsarvepalli
Credited to sei-vsarvepalli
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database