Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,654
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

129 advisories

Loading
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM... High Unreviewed
CVE-2026-5140 was published Apr 29, 2026
PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes High
GHSA-mh6w-vxff-9wqp was published for phpunit/phpunit (Composer) Apr 22, 2026
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and... Moderate Unreviewed
CVE-2026-2717 was published Apr 22, 2026
SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of... Moderate Unreviewed
CVE-2026-32964 was published Apr 20, 2026
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
CVE-2026-41570 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing... High Unreviewed
CVE-2026-6351 was published Apr 16, 2026
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
CVE-2026-41230 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that... Moderate Unreviewed
CVE-2026-2400 was published Apr 14, 2026
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output Moderate
CVE-2026-35601 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
basic-ftp has FTP Command Injection via CRLF High
CVE-2026-39983 was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values Moderate
CVE-2026-26962 was published for rack (RubyGems) Apr 2, 2026
wtn Credited to wtn, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-2442 was published Mar 28, 2026
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter Low
GHSA-c7w3-x93f-qmm8 was published for nodemailer (npm) Mar 26, 2026
esquilichi Credited to esquilichi
A vulnerability in the web-based Cisco IOx application hosting environment management interface... Moderate Unreviewed
CVE-2026-20113 was published Mar 25, 2026
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to... Moderate Unreviewed
CVE-2026-28753 was published Mar 24, 2026
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields High
CVE-2026-33128 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type... Low Unreviewed
CVE-2026-3634 was published Mar 17, 2026
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the ... Low Unreviewed
CVE-2026-3633 was published Mar 17, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database