GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
141 advisories
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Moderate
CVE-2026-40486
was published
for
kimai/kimai
(Composer)
Apr 15, 2026
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes
High
CVE-2026-41139
was published
for
mathjs
(npm)
Apr 10, 2026
LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
Critical
CVE-2026-34179
was published
for
github.com/canonical/lxd
(Go)
Apr 10, 2026
Directus: Path Traversal and Broken Access Control in File Management API
High
CVE-2026-39942
was published
for
directus
(npm)
Apr 4, 2026
SandboxJS: Sandbox integrity escape
Critical
CVE-2026-34208
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.
High
CVE-2026-34445
was published
for
onnx
(pip)
Apr 1, 2026
Parse Server session creation endpoint allows overwriting server-generated session fields
Moderate
CVE-2026-32742
was published
for
parse-server
(npm)
Mar 17, 2026
SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox
High
CVE-2026-32640
was published
for
simpleeval
(pip)
Mar 13, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
django-unicorn affected by component state manipulation via unvalidated attribute access
Moderate
CVE-2026-31815
was published
for
django-unicorn
(pip)
Mar 11, 2026
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
High
CVE-2026-30822
was published
for
flowise
(npm)
Mar 6, 2026
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Moderate
CVE-2026-28781
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Svelte SSR attribute spreading includes inherited properties from prototype chain
Moderate
CVE-2026-27125
was published
for
svelte
(npm)
Feb 19, 2026
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State
High
CVE-2026-22814
was published
for
@adonisjs/lucid
(npm)
Jan 13, 2026
UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation
Critical
CVE-2025-68924
was published
for
UmbracoForms
(NuGet)
Jan 13, 2026
maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe
Low
GHSA-mj73-j457-8x9q
was published
for
maxminddb
(Rust)
Dec 2, 2025
Withdrawn Advisory: express improperly controls modification of query properties
Low
CVE-2024-51999
was published
for
express
(npm)
Dec 1, 2025
•
withdrawn
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
High
CVE-2025-70559
was published
for
pdfminer.six
(pip)
Nov 7, 2025
ProTip!
Advisories are also available from the
GraphQL API