Vendor Security Advisories

Security advisories straight from the source — Microsoft, Red Hat, GitHub, and beyond. Searchable, indexed, and live the moment vendors publish.

Live13,711 advisories tracked144 disclosed before NVD831 Critical6,134 High4,490 Medium701 Low
15 vendors tracked· 1,593 ingested in last 24h← Back to CVE Pulse

🔔 Vendor advisory alerts

Catch vendor-disclosed advisories the day they ship

Vendors like Microsoft, Red Hat, and GitHub publish security advisories days to weeks before NVD assigns a CVE. Subscribe to get these the moment we ingest them.

  • Microsoft MSRC, Red Hat RHSA, GitHub GHSA — full vendor coverage
  • Embargo-window disclosures included (Pre-CVE advisories)
  • Real-time, daily, weekly, or monthly cadence

Free · Unsubscribe in one click · No marketing email

Browse by vendor

10 active · 15 tracked
GitHub5,183Microsoft4,981Red Hat3,218GitLab92Cisco89AWS58GCP30HashiCorp25paloalto25Grafana10Apple0Atlassian0Azure0OSV0VMware0
Disclosed before NVD assigned a CVE-ID144 total

These advisories were published by the upstream vendor before NVD assigned a CVE-ID. Customers received the email on day zero — everyone else has to wait days to weeks for NVD to catch up.

GHSA-63gr-g7jc-v8rgGitHub

@agenticmail/mcp Missing Authentication for Critical Function

HIGHJun 1, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-9vp8-3hmv-8fghGitHub

stigmem-node's federation peer registration lacked explicit out-of-band approval

CRITICALMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-w7pm-9g55-mxfmGitHub

stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment

HIGHMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-jmfc-hfjq-pxcpGitHub

stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation

CRITICALMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-9pc9-4crj-mhpjGitHub

stigmem-node's Postgres schema identifier handling required defensive quoting

HIGHMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-xh5j-xjfq-qvvxGitHub

stigmem-node's federation peer token timestamp validation may reject valid peer tokens

HIGHMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-fp6w-8wpg-74g5GitHub

stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback

CRITICALMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-92vj-hp7m-gwcjGitHub5.3

Nerdbank.MessagePack has Inefficient CPU Computation

MEDIUMMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-qjvr-435c-5fjhGitHub5.3

Nerdbank.MessagePack has a memory amplification DoS in collection deserialization

MEDIUMMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-w5pp-99ch-qj29GitHub6.5

go-git: Malformed Git object data may cause panics or resource exhaustion

MEDIUMMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-4gg8-gxpx-9rphGitHub

uv is vulnerable to arbitrary file write through entry point names

MEDIUMMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
GHSA-3pv8-6f4r-ffg2GitHub

tar has a PAX header desynchronization issue

MEDIUMMay 29, 2026View details →
⏳ Pre-CVE · vendor-disclosed before NVD
Most Recent Vendor Advisoriestop 12

The newest 12 advisories ingested from any tracked vendor — refreshed every two minutes.

GHSA-28vp-6rv7-m976GitHub7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...

HIGHJun 3, 2026View details →
GHSA-g35p-px32-whv6GitHub9.1

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of...

CRITICALJun 3, 2026View details →
RHSA-2026:22716Red Hat5.9

Red Hat Security Advisory: libsoup security update

MEDIUMJun 3, 2026View details →
RHSA-2026:22714Red Hat9.1

Red Hat Security Advisory: osbuild-composer security update

HIGHJun 3, 2026View details →
RHSA-2026:22712Red Hat8.8

Red Hat Security Advisory: firefox security update

HIGHJun 3, 2026View details →
RHSA-2026:22711Red Hat4.1

Red Hat Security Advisory: vim security update

MEDIUMJun 3, 2026View details →
RHSA-2026:22710Red Hat5.9

Red Hat Security Advisory: libsoup security update

MEDIUMJun 3, 2026View details →
GHSA-qh2m-553j-rjfcGitHub7.5

ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The...

HIGHJun 3, 2026View details →
GHSA-mwjg-3fm6-9v84GitHub

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request...

LOWJun 3, 2026View details →
RHSA-2026:22528Red Hat5.3

Red Hat Security Advisory: mod_http2 security update

MEDIUMJun 3, 2026View details →
GHSA-qp9q-4rh4-m8jcGitHub3.1

A flaw has been found in dask up to 3.0. Affected by this issue is the function nunique_approx of...

LOWJun 3, 2026View details →
GHSA-cr37-3vx9-9f5fGitHub7.3

A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this...

MEDIUMJun 3, 2026View details →

Browse all advisories

Severity:
Loading…

Frequently asked questions

What is a vendor security advisory?
A vendor security advisory is an official disclosure published by the software or hardware vendor itself — Microsoft's MSRC, Red Hat Product Security, GitHub Security Advisories, and others. Vendor advisories typically include a CVE-ID once one is assigned, vendor-specific remediation steps, and the exact list of affected product builds — all of which the upstream NVD entry may not yet have.
How is this different from the NVD CVE feed?
NVD publishes CVEs after the CVE Numbering Authority coordinates disclosure with the vendor. Vendors often notify customers days to weeks before NVD's public record. This feed captures the vendor side directly, surfacing embargo-window disclosures that don't yet appear in NVD or GitHub Advisory Database.
Which vendors are tracked?
Microsoft Security Response Center (MSRC), Red Hat Product Security (RHSA via CSAF), and GitHub Security Advisories (GHSA) are live today. Apple, AWS, GCP, Azure, VMware, HashiCorp, Atlassian, GitLab, Grafana, and Cisco are tracked vendors with pollers in development.
How often is the feed updated?
GitHub GHSA is polled every hour for fast embargo-window coverage. Red Hat CSAF and Microsoft MSRC are polled every six hours. Each advisory's first-seen timestamp is preserved separately from the vendor's published-at so you can audit how quickly we caught it.
Does the feed include CVSS scores and remediation guidance?
Yes when the vendor publishes them. CVSS v3 scores, severity bands (Critical/High/Medium/Low), the full list of affected product builds, vendor-specific patch / mitigation steps, and authoritative reference URLs are surfaced on every advisory detail page. Fields are blank when the vendor's own disclosure did not include them.
Is this feed free to use?
Yes. All pages on /pulse/vendor-advisories are free to read and link to. The underlying advisory data is published by each vendor under their own terms — EchelonGraph aggregates and normalises it for discoverability.