Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,186 advisories

Loading
astral-tokio-tar insufficiently validates PAX extensions during extraction Low
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
lz4_flex's decompression can leak information from uninitialized memory or reused output buffer High
GHSA-vvp9-7p8x-rfvv was published for lz4_flex (Rust) Mar 16, 2026
Marcono1234 Credited to Marcono1234
Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145 High
CVE-2026-32314 was published for yamux (Rust) Mar 13, 2026
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-32260 was published for deno (Rust) Mar 13, 2026
rtvkiz Credited to rtvkiz
rs-soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction Moderate
CVE-2026-32322 was published for soroban-sdk (Rust) Mar 13, 2026
leighmcculloch Credited to leighmcculloch
Yamux vulnerable to remote Panic via malformed WindowUpdate credit High
CVE-2026-31814 was published for yamux (Rust) Mar 13, 2026
Poseidon V1 variable-length input collision via implicit zero-padding High
CVE-2026-32129 was published for soroban-poseidon (Rust) Mar 13, 2026
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink High
CVE-2026-32232 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification Moderate
GHSA-725g-w329-g7qr was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy Moderate
GHSA-x442-m7cc-hr92 was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects Moderate
GHSA-vhj5-x93p-67jw was published for actix-web-lab (Rust) Mar 11, 2026
Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing High
CVE-2026-31812 was published for quinn-proto (Rust) Mar 11, 2026
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface Critical
CVE-2026-30960 was published for rssn (Rust) Mar 10, 2026
panayang Credited to panayang
Soroban: Muxed address<->ScVal conversions may break after a conversion failure Low
GHSA-pm4j-7r4q-ccg8 was published for soroban-env-host (Rust) Mar 7, 2026
`time-sync` was removed from crates.io due to malicious code Critical
GHSA-mh23-rw7f-v5pq was published for time-sync (Rust) Mar 5, 2026
Pingora vulnerable to cache poisoning via insecure-by-default cache key High
CVE-2026-2836 was published for pingora-cache (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing Critical
CVE-2026-2835 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Critical
CVE-2026-2833 was published for pingora-core (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
stellar-xdr's StringM::from_str bypasses max length validation Moderate
CVE-2026-29795 was published for stellar-xdr (Rust) Mar 5, 2026
leighmcculloch Credited to leighmcculloch
`dnp3times` was removed from crates.io due to malicious code Critical
GHSA-xhw7-jhmp-j62j was published for dnp3times (Rust) Mar 5, 2026
zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards Critical
GHSA-5wp8-q9mx-8jx8 was published for zeptoclaw (Rust) Mar 5, 2026
zpbrent Credited to zpbrent
zeptoclaw has Android device shell blocklist bypass via argument permutation High
GHSA-hhjv-jq77-cmvx was published for zeptoclaw (Rust) Mar 5, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade Critical
GHSA-f9v3-j2m7-4hpg was published for pingora-core (Rust) Mar 5, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database