Vendor Security Advisories

Security advisories straight from the source — Microsoft, Red Hat, GitHub, and beyond. Searchable, indexed, and live the moment vendors publish.

Live31,943 advisories tracked578 disclosed before NVD2,620 Critical14,672 High10,946 Medium1,611 Low
15 vendors tracked· 299 ingested in last 24h← Back to CVE Pulse

🔔 Vendor advisory alerts

Catch vendor-disclosed advisories the day they ship

Vendors like Microsoft, Red Hat, and GitHub publish security advisories days to weeks before NVD assigns a CVE. Subscribe to get these the moment we ingest them.

  • Microsoft MSRC, Red Hat RHSA, GitHub GHSA — full vendor coverage
  • Embargo-window disclosures included (Pre-CVE advisories)
  • Real-time, daily, weekly, or monthly cadence

Free · Unsubscribe in one click · No marketing email

Browse by vendor

10 active · 15 tracked
Disclosed before NVD assigned a CVE-ID578 total

These advisories were published by the upstream vendor before NVD assigned a CVE-ID. Customers received the email on day zero — everyone else has to wait days to weeks for NVD to catch up.

GHSA-vjc7-jrh9-9j86GitHub10.0

9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

CRITICALJul 6, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-x76w-8c62-48mgGitHub

Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

MEDIUMJul 6, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-7jvp-hj45-2f2mGitHub

Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)

HIGHJul 6, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-66m8-c62j-h6v5GitHub6.2

jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow

MEDIUMJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-2v8p-fqpx-2q3wGitHub6.2

jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)

MEDIUMJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-j5mc-p8qg-39j7GitHub

Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation

LOWJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-x4hg-hfwf-p9mwGitHub

@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation

MEDIUMJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-322x-v876-g883GitHub

@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write

HIGHJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-g6g7-pvmx-m74pGitHub

9router: Missing Authorization and OS Command Injection

CRITICALJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-gj2h-2fpw-fhv9GitHub

@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration

MEDIUMJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-h72h-ppcx-998pGitHub3.7

Zebra has pre-handshake buffer capacity reservation based on attacker-claimed body length

LOWJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-c8w6-x74f-vmg3GitHub6.5

zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers

MEDIUMJul 2, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
Most Recent Vendor Advisoriestop 12

The newest 12 advisories ingested from any tracked vendor — refreshed every two minutes.

GHSA-hphp-fmhr-5fqhGitHub8.1

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing...

HIGHJul 6, 2026View details →
GHSA-3hmc-px3x-2cjrGitHub7.5

A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14...

HIGHJul 6, 2026View details →
GHSA-cr32-g25g-vxjjGitHub6.1

showdown contains a cross-site scripting vulnerability in metadata title handling that allows...

MEDIUMJul 6, 2026View details →
GHSA-vwm8-rprj-29f7GitHub8.1

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that...

HIGHJul 6, 2026View details →
GHSA-29x3-448h-cjxwGitHub7.7

HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion...

HIGHJul 6, 2026View details →
GHSA-wj36-3pgh-3jfqGitHub5.3

Memory Corruption when updating prepared commands with invalid port indices based on user space...

MEDIUMJul 6, 2026View details →
GHSA-h4m3-5rw4-m7w5GitHub5.3

Memory Corruption when validating input batch size and buffer plane count exceeds maximum allowed...

MEDIUMJul 6, 2026View details →
GHSA-8956-f28w-h25cGitHub7.8

Memory Corruption when allocating memory with sizes that exceed the maximum allowed value.

HIGHJul 6, 2026View details →
GHSA-3p8m-mr3f-jqg6GitHub7.1

Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which...

HIGHJul 6, 2026View details →
GHSA-hmx9-2rg5-jc4pGitHub7.8

Memory Corruption when processing asynchronous input parameters due to improper handling of...

HIGHJul 6, 2026View details →
GHSA-m3mv-mgjg-xqg6GitHub5.3

Memory Corruption when handling flash commands due to outdated LED count values being used after...

MEDIUMJul 6, 2026View details →
GHSA-v9qv-qmj7-ghvrGitHub5.3

Memory Corruption when parsing jpeg commands due to unaccounted extra writes to the buffer during...

MEDIUMJul 6, 2026View details →

Browse all advisories

Severity:
Loading…

Frequently asked questions

What is a vendor security advisory?
A vendor security advisory is an official disclosure published by the software or hardware vendor itself — Microsoft's MSRC, Red Hat Product Security, GitHub Security Advisories, and others. Vendor advisories typically include a CVE-ID once one is assigned, vendor-specific remediation steps, and the exact list of affected product builds — all of which the upstream NVD entry may not yet have.
How is this different from the NVD CVE feed?
NVD publishes CVEs after the CVE Numbering Authority coordinates disclosure with the vendor. Vendors often notify customers days to weeks before NVD's public record. This feed captures the vendor side directly, surfacing embargo-window disclosures that don't yet appear in NVD or GitHub Advisory Database.
Which vendors are tracked?
Microsoft Security Response Center (MSRC), Red Hat Product Security (RHSA via CSAF), and GitHub Security Advisories (GHSA) are live today. Apple, AWS, GCP, Azure, VMware, HashiCorp, Atlassian, GitLab, Grafana, and Cisco are tracked vendors with pollers in development.
How often is the feed updated?
GitHub GHSA is polled every hour for fast embargo-window coverage. Red Hat CSAF and Microsoft MSRC are polled every six hours. Each advisory's first-seen timestamp is preserved separately from the vendor's published-at so you can audit how quickly we caught it.
Does the feed include CVSS scores and remediation guidance?
Yes when the vendor publishes them. CVSS v3 scores, severity bands (Critical/High/Medium/Low), the full list of affected product builds, vendor-specific patch / mitigation steps, and authoritative reference URLs are surfaced on every advisory detail page. Fields are blank when the vendor's own disclosure did not include them.
Is this feed free to use?
Yes. All pages on /pulse/vendor-advisories are free to read and link to. The underlying advisory data is published by each vendor under their own terms — EchelonGraph aggregates and normalises it for discoverability.