Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

223 advisories

Loading
PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures Moderate
GHSA-chgr-c6px-7xpp was published for pyo3 (Rust) Jun 12, 2026
gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362) Moderate
CVE-2026-48154 was published for github.com/pilinux/gorest (Go) Jun 12, 2026
NocoDB: OAuth Authorization Code Race Condition Moderate
CVE-2026-47386 was published for nocodb (npm) Jun 5, 2026
AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle Moderate
CVE-2026-47703 was published for github.com/AdguardTeam/AdGuardHome (Go) Jun 4, 2026
N0zoM1z0 Credited to N0zoM1z0
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling High
CVE-2026-45742 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
uokik Credited to uokik
ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking Moderate
CVE-2026-46693 was published for Magick.NET-Q16-AnyCPU (NuGet) May 22, 2026
SecurinDisclose Credited to SecurinDisclose
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write) Moderate
CVE-2026-45712 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption Moderate
CVE-2026-47741 was published for shopper/cart (Composer) May 18, 2026
baradika Credited to baradika
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts High
CVE-2026-45675 was published for open-webui (pip) May 14, 2026
sfwani Credited to sfwani and Classic298 Classic298 Classic298
Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode) High
CVE-2026-45090 was published for github.com/hahwul/dalfox (Go) May 12, 2026
bugbunny-research Credited to bugbunny-research
free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions Moderate
CVE-2026-44318 was published for github.com/free5gc/bsf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine High
CVE-2026-42594 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
Langchain-Chatchat has a Race Condition in its OpenAI-Compatible File Upload API Low
CVE-2026-7846 was published for langchain-chatchat (pip) May 5, 2026
Prefect SSRF Bypass via DNS Rebinding in validate_restricted_url Low
CVE-2026-7724 was published for prefect (pip) May 4, 2026
nedlir Credited to nedlir
Auth0 Next.js SDK has Improper Proxy Cache Lookup Moderate
CVE-2026-40155 was published for @auth0/nextjs-auth0 (npm) Apr 21, 2026
Oxia affected by server crash via race condition in session heartbeat handling High
CVE-2026-40943 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Moderate
CVE-2026-5774 was published for github.com/juju/juju (Go) Apr 10, 2026
fg0x0 Credited to fg0x0, wallyworld, and tlm wallyworld wallyworld
tlm tlm
ajenti.plugin.core has race conditions in 2FA Moderate
CVE-2026-40178 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
CVE-2026-41913 was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition High
CVE-2026-35554 was published for org.apache.kafka:kafka-clients (Maven) Apr 7, 2026
filipecamargos Credited to filipecamargos
mcp-handler has a tool response leak across concurrent client sessions ('Race Condition') High
GHSA-w2fm-25vw-vh7f was published for mcp-handler (npm) Apr 1, 2026
NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner Moderate
GHSA-rxmp-8h9v-56cx was published for github.com/netbirdio/netbird (Go) Apr 1, 2026
sabancihan Credited to sabancihan
Tinyauth has OAuth account confusion via shared mutable state on singleton service instances High
CVE-2026-33544 was published for github.com/steveiliop56/tinyauth (Go) Apr 1, 2026
kq5y Credited to kq5y
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance Moderate
CVE-2026-34368 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database