Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,521 advisories

Loading
vite: `server.fs.deny` bypass on Windows alternate paths High
CVE-2026-53571 was published for vite (npm) Jun 15, 2026
TazmiDev Credited to TazmiDev, 332QAQ, and ArnaudBarre 332QAQ 332QAQ
ArnaudBarre ArnaudBarre
@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo) High
CVE-2026-50171 was published for @angular/common (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, JeanMeche, AndrewKushnir, and josephperrott JeanMeche JeanMeche
AndrewKushnir AndrewKushnir josephperrott josephperrott
@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache High
CVE-2026-50170 was published for @angular/common (npm) Jun 15, 2026
Yenya030 Credited to Yenya030, josephperrott, alan-agius4, AndrewKushnir, and dgp1130 josephperrott josephperrott
alan-agius4 alan-agius4 AndrewKushnir AndrewKushnir dgp1130 dgp1130
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template High
CVE-2026-49982 was published for tmp (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot
ws: Memory exhaustion DoS from tiny fragments and data chunks High
CVE-2026-48779 was published for ws (npm) Jun 15, 2026
Nadav0077 Credited to Nadav0077
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning High
CVE-2026-54267 was published for @angular/core (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, AndrewKushnir, alan-agius4, josephperrott, and JeanMeche AndrewKushnir AndrewKushnir
alan-agius4 alan-agius4 josephperrott josephperrott JeanMeche JeanMeche
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026 withdrawn
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema High
CVE-2026-48151 was published for @budibase/server (npm) Jun 12, 2026
liyander Credited to liyander
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection High
CVE-2026-48146 was published for @budibase/server (npm) Jun 12, 2026
axel-corsiez Credited to axel-corsiez
@grpc/grpc-js: A malformed request can cause a server crash High
CVE-2026-48068 was published for @grpc/grpc-js (npm) Jun 11, 2026
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash High
CVE-2026-48069 was published for @grpc/grpc-js (npm) Jun 11, 2026
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri High
CVE-2026-48054 was published for @openzeppelin/wizard (npm) Jun 11, 2026
232-323 Credited to 232-323 and knm6777 knm6777 knm6777
Element Call reports full URLs of visited pages to analytics server High
CVE-2026-48007 was published for @element-hq/element-call-embedded (npm) Jun 11, 2026
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts High
CVE-2026-48036 was published for @hulumi/drift (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened High
CVE-2026-48035 was published for @hulumi/baseline (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name High
CVE-2026-48033 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers High
CVE-2026-48032 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading High
CVE-2026-47719 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection High
CVE-2026-47761 was published for TinyMCE (Composer) Jun 5, 2026
UncleJ4ck Credited to UncleJ4ck and ange-primiterra ange-primiterra ange-primiterra
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments High
CVE-2026-47762 was published for TinyMCE (Composer) Jun 5, 2026
he1d3n Credited to he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes High
CVE-2026-47759 was published for TinyMCE (Composer) Jun 5, 2026
mtrill47 Credited to mtrill47 and he1d3n he1d3n he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs High
CVE-2026-47760 was published for TinyMCE (Composer) Jun 5, 2026
maple3142 Credited to maple3142
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database