GitHub Advisory Database Faces Record Volume, Extending Processing Times
GitHub's Advisory Database experienced an unprecedented surge in advisories in May 2026, leading to significant delays in processing and publication.
In May 2026, the GitHub Advisory Database published a record-breaking 1,560 reviewed advisories, a figure more than five times its typical monthly output. This surge, however, has strained the system, leading to extended processing and publication times. The increased volume is attributed to a simultaneous acceleration in private vulnerability reports, repository advisories, and CVE requests, pushing the entire vulnerability disclosure ecosystem to a new operational scale.
The influx of reports has been substantial across all channels. Private vulnerability reports submitted through GitHub's platform escalated from approximately 550 per week in January to over 3,000 per week for much of May. Similarly, repository advisories grew from around 650 per week to more than 5,000 per week. The GitHub CNA also saw a near tenfold year-over-year increase in CVE requests, reaching almost 4,000 in May alone, as the broader CVE program surpassed 30,000 CVEs published for the year.
This dramatic increase in reported vulnerabilities has directly impacted the database's processing times. Since mid-April, GitHub has not consistently met its internal goals for advisory publication. Initial delays extended to about a week, and have since grown to multiple weeks for a significant portion of advisories. While the database emphasizes that data quality remains high, with all reviewed advisories undergoing human validation, the extended exposure windows due to delayed publication are a serious concern.
Despite the throughput challenges, core functionalities remain robust. GitHub's data pipelines and publishing infrastructure continue to operate, ensuring data integrity and accuracy for published advisories. The quality of CVE assignments has also remained strong, with an assignment rate consistently between 91-94%, indicating that the incoming data, while voluminous, has not degraded in quality. The primary issue is the system's capacity to handle the sheer volume and complexity of the incoming data.
The complexity of modern vulnerability reports is a significant factor contributing to the extended processing times. While some advisories are straightforward, a growing number require extensive curator effort. This includes disambiguating package names across different ecosystems, reconstructing affected version ranges when not clearly specified, verifying multi-ecosystem impacts, and resolving conflicting information from various sources like CVE records and maintainer advisories.
GitHub clarifies that a "reviewed" advisory is not merely a republished record but the result of thorough verification. Curators meticulously map vulnerabilities to the correct package, validate version ranges against release history, confirm upstream accuracy, check for duplication, and validate classification and scoring. This rigorous process ensures the reliability of the data for downstream tools, and skipping verification to speed up publication would introduce unacceptable risks of false positives.
This trend of increasing vulnerability volume and complexity is not unique to GitHub; it reflects a broader shift across the entire cybersecurity ecosystem. Organizations worldwide are grappling with the challenge of managing a rapidly growing number of reported and published vulnerabilities. The current situation highlights the need for the ecosystem to adapt to this new operating scale, emphasizing complete vulnerability data submission, close coordination between maintainers and researchers, and judicious CVE requests.