Vendor Security Advisories

Security advisories straight from the source — Microsoft, Red Hat, GitHub, and beyond. Searchable, indexed, and live the moment vendors publish.

Live3,674 advisories tracked107 disclosed before NVD253 Critical1,464 High960 Medium157 Low
14 vendors tracked· 3,674 ingested in last 24h← Back to CVE Pulse

🔔 Vendor advisory alerts

Catch vendor-disclosed advisories the day they ship

Vendors like Microsoft, Red Hat, and GitHub publish security advisories days to weeks before NVD assigns a CVE. Subscribe to get these the moment we ingest them.

  • Microsoft MSRC, Red Hat RHSA, GitHub GHSA — full vendor coverage
  • Embargo-window disclosures included (Pre-CVE advisories)
  • Real-time, daily, weekly, or monthly cadence

Free · Unsubscribe in one click · No marketing email

Browse by vendor

7 active · 14 tracked
GitHub1,893Red Hat846Microsoft668GitLab92Cisco89AWS56GCP30Apple0Atlassian0Azure0Grafana0HashiCorp0OSV0VMware0
Disclosed before NVD assigned a CVE-ID107

These advisories were published by the upstream vendor before NVD assigned a CVE-ID. Customers received the email on day zero — everyone else has to wait days to weeks for NVD to catch up.

GHSA-7m8f-hgjq-8gc9GitHub7.5

aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler

HIGHMay 22, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-qqqm-5547-774xGitHub

FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory

CRITICALMay 22, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-qv2q-c278-pch5GitHub3.7

ImageMagick: Information Disclosure in PasskeyEncipherImage via AES-CTR nonce reuse

LOWMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-vf33-6r7x-66xxGitHub3.3

ImageMagick: Division by Zero in binomial kernel

LOWMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-jqq5-8px3-9m6mGitHub6.2

ImageMagick: Heap Buffer Over-Write in json and yaml encoder of a single byte due to incorrect fix

MEDIUMMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-59f3-7227-wmh4GitHub

@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails

HIGHMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-q2f7-m237-v562GitHub

@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

CRITICALMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-4xrh-5m3m-328wGitHub

@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies

HIGHMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-g43v-9x7q-83pqGitHub

@hulumi/policies: HULUMI-H1 SecureBucket parent spoof bypass

HIGHMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-2ffm-hxrq-qqmmGitHub

@hulumi/drift: Orphan reconciler accepted externally supplied execute plans

HIGHMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-gfp8-mp24-5vxgGitHub

@hulumi/baseline: CloudTrail selector tampering events were not fully detected

MEDIUMMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-hgv7-v322-mmgrGitHub

@sveltejs/kit: `query.batch` cross-talk

MEDIUMMay 21, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
Most Recent Vendor Advisoriestop 12

The newest 12 advisories ingested from any tracked vendor — refreshed every two minutes.

2026-036-AWSAWS

CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing

UNKNOWNMay 22, 2026View details →
GHSA-97r5-pg8x-p63pGitHub

Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance

MEDIUMMay 22, 2026View details →
GHSA-7m8f-hgjq-8gc9GitHub7.5

aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler

HIGHMay 22, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-q8mj-m7cp-5q26GitHub5.3

qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

MEDIUMMay 22, 2026View details →
GHSA-qqqm-5547-774xGitHub

FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory

CRITICALMay 22, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
2026-035-AWSAWS

CVE-2026-9255 - Tool Execution Without Authorization via Piped Stdin in Kiro CLI

UNKNOWNMay 22, 2026View details →
GHSA-jwvv-qr7q-cv8jGitHub9.8

YesWiki: Unauthenticated SQL Injection

CRITICALMay 22, 2026View details →
GHSA-6gxq-f64p-5w6fGitHub5.7

ImageMagick: Heap Buffer Over-Read in distributed pixel cache server

MEDIUMMay 22, 2026View details →
GHSA-2rgj-gx5x-f62wGitHub4.1

ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model

MEDIUMMay 22, 2026View details →
GHSA-4g75-9r48-jf92GitHub4.1

ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking

MEDIUMMay 22, 2026View details →
GHSA-p93h-f2jc-477jGitHub4.1

ImageMagick: Heap Buffer Over-Write in distributed pixel cache server

MEDIUMMay 22, 2026View details →
GHSA-jrc7-p252-6hpqGitHub4.3

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all...

MEDIUMMay 22, 2026View details →

Browse all advisories

Severity:
Loading…

Frequently asked questions

What is a vendor security advisory?
A vendor security advisory is an official disclosure published by the software or hardware vendor itself — Microsoft's MSRC, Red Hat Product Security, GitHub Security Advisories, and others. Vendor advisories typically include a CVE-ID once one is assigned, vendor-specific remediation steps, and the exact list of affected product builds — all of which the upstream NVD entry may not yet have.
How is this different from the NVD CVE feed?
NVD publishes CVEs after the CVE Numbering Authority coordinates disclosure with the vendor. Vendors often notify customers days to weeks before NVD's public record. This feed captures the vendor side directly, surfacing embargo-window disclosures that don't yet appear in NVD or GitHub Advisory Database.
Which vendors are tracked?
Microsoft Security Response Center (MSRC), Red Hat Product Security (RHSA via CSAF), and GitHub Security Advisories (GHSA) are live today. Apple, AWS, GCP, Azure, VMware, HashiCorp, Atlassian, GitLab, Grafana, and Cisco are tracked vendors with pollers in development.
How often is the feed updated?
GitHub GHSA is polled every hour for fast embargo-window coverage. Red Hat CSAF and Microsoft MSRC are polled every six hours. Each advisory's first-seen timestamp is preserved separately from the vendor's published-at so you can audit how quickly we caught it.
Does the feed include CVSS scores and remediation guidance?
Yes when the vendor publishes them. CVSS v3 scores, severity bands (Critical/High/Medium/Low), the full list of affected product builds, vendor-specific patch / mitigation steps, and authoritative reference URLs are surfaced on every advisory detail page. Fields are blank when the vendor's own disclosure did not include them.
Is this feed free to use?
Yes. All pages on /pulse/vendor-advisories are free to read and link to. The underlying advisory data is published by each vendor under their own terms — EchelonGraph aggregates and normalises it for discoverability.