GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,421 advisories
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
High
CVE-2026-48032
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
shell-quote quote() does not escape newlines in object .op values
Critical
CVE-2026-9277
was published
for
shell-quote
(npm)
Jun 9, 2026
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
Moderate
CVE-2026-47721
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
Moderate
CVE-2026-47720
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
High
CVE-2026-47719
was published
for
fuxa-server
(npm)
Jun 8, 2026
actual Allows Electron to Run As Node
Moderate
CVE-2026-42890
was published
for
actual
(npm)
Jun 8, 2026
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
Critical
CVE-2026-47430
was published
for
cordova-plugin-inappbrowser
(npm)
Jun 8, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
High
CVE-2026-47761
was published
for
TinyMCE
(Composer)
Jun 5, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
High
CVE-2026-47762
was published
for
TinyMCE
(Composer)
Jun 5, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
High
CVE-2026-47759
was published
for
TinyMCE
(Composer)
Jun 5, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
High
CVE-2026-47760
was published
for
TinyMCE
(Composer)
Jun 5, 2026
NocoDB: OAuth Tokens Persist Through Security Events
Moderate
CVE-2026-53926
was published
for
nocodb
(npm)
Jun 5, 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
High
CVE-2026-48017
was published
for
dbgate-api
(npm)
Jun 5, 2026
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
High
CVE-2026-47684
was published
for
@sync-in/server
(npm)
Jun 5, 2026
Authenticated Remote Code Execution via loadReader functionName code injection in DbGate
Critical
CVE-2026-47670
was published
for
dbgate-api
(npm)
Jun 5, 2026
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Critical
CVE-2026-47668
was published
for
dbgate-serve
(npm)
Jun 5, 2026
NocoDB: Missing Ownership Check in MCP Attachment Read
Low
CVE-2026-47388
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Stored Cross-Site Scripting via Form View Redirect URL
High
CVE-2026-47387
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Path Traversal via SQLite Source Filename
Moderate
CVE-2026-47385
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: SQL Injection via Column Title in Bulk GroupBy
Moderate
CVE-2026-47384
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Stored Cross-Site Scripting via Row Comments
High
CVE-2026-47383
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Server-Side Request Forgery via Database Connection Host
Moderate
CVE-2026-47382
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Cross-Workspace Integration Use in Connection Test
Moderate
CVE-2026-47381
was published
for
nocodb
(npm)
Jun 5, 2026
ProTip!
Advisories are also available from the
GraphQL API