Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,087
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

44 advisories

Loading
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery High
GHSA-74p7-6h78-gw8p was published for skillctl (Rust) Jun 22, 2026
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages() High
CVE-2026-12530 was published for bedrock-agentcore (pip) Jun 19, 2026
Docker MCP Gateway: Argument injection via OCI image label YAML High
CVE-2026-55887 was published for github.com/docker/mcp-gateway (Go) Jun 18, 2026
Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor High
CVE-2026-43943 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click High
CVE-2026-43941 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request High
CVE-2026-42266 was published for jupyterlab (pip) May 5, 2026
pmcao Credited to pmcao, Yann-P, and krassowski Yann-P Yann-P
krassowski krassowski
exiftool-vendored vulnerable to argument injection via newline characters in tag names High
CVE-2026-43893 was published for exiftool-vendored (npm) May 5, 2026
Dobby153 Credited to Dobby153
GitPython: Unsafe option check validates multi_options before shlex.split transformation High
CVE-2026-42284 was published for GitPython (pip) Apr 25, 2026
Texuguinho1234 Credited to Texuguinho1234
PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes High
GHSA-mh6w-vxff-9wqp was published for phpunit/phpunit (Composer) Apr 22, 2026
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, kodareef5, and waveywaves vdemeester vdemeester
kodareef5 kodareef5 waveywaves waveywaves
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
CVE-2026-41570 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting High
CVE-2026-39884 was published for mcp-server-kubernetes (npm) Apr 14, 2026
TharVid Credited to TharVid
SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh High
GHSA-p4h8-56qp-hpgv was published for @aiondadotcom/mcp-ssh (npm) Apr 14, 2026
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars High
CVE-2026-40113 was published for PraisonAI (pip) Apr 10, 2026
aswinastro Credited to aswinastro and g0w6y g0w6y g0w6y
File Browser has a Command Injection via Hook Runner High
CVE-2026-35585 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
Saku0512 Credited to Saku0512
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference High
CVE-2026-34769 was published for electron (npm) Apr 3, 2026
Gogs: Release tag option injection in release deletion High
CVE-2026-26194 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments High
CVE-2026-22168 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes High
CVE-2026-28470 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand High
CVE-2025-12613 was published for cloudinary (npm) Nov 10, 2025
go-mail has insufficient address encoding when passing mail addresses to the SMTP client High
CVE-2025-59937 was published for github.com/wneessen/go-mail (Go) Sep 29, 2025
xclow3n Credited to xclow3n
filebrowser Allows Shell Commands to Spawn Other Commands High
CVE-2025-52903 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 27, 2025
mtausig Credited to mtausig and hacdias hacdias hacdias
Gogs allows argument Injection when tagging new releases High
CVE-2024-39933 was published for gogs.io/gogs (Go) Dec 23, 2024
swapgs Credited to swapgs
Laravel environment manipulation via query string High
CVE-2024-52301 was published for laravel/framework (Composer) Nov 12, 2024
Duplicate Advisory: Gogs allows argument injection during the tagging of a new release High
GHSA-8mm6-wmpp-mmm3 was published for github.com/gogs/gogs (Go) Jul 4, 2024 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database