Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,517 advisories

Loading
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture Moderate
CVE-2026-48037 was published for @hulumi/baseline (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system Low
CVE-2026-48051 was published for @papra/webhooks (npm) Jun 10, 2026
FredrikEV Credited to FredrikEV
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload Critical
CVE-2026-48063 was published for @whiskeysockets/baileys (npm) Jun 10, 2026
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Element Call reports full URLs of visited pages to analytics server High
CVE-2026-48007 was published for @element-hq/element-call-embedded (npm) Jun 11, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects Moderate
CVE-2026-48022 was published for @hapi/wreck (npm) Jun 11, 2026
SnailSploit Credited to SnailSploit
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri High
CVE-2026-48054 was published for @openzeppelin/wizard (npm) Jun 11, 2026
232-323 Credited to 232-323 and knm6777 knm6777 knm6777
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas Moderate
CVE-2026-48038 was published for joi (npm) Jun 11, 2026
kexwin Credited to kexwin
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash High
CVE-2026-48069 was published for @grpc/grpc-js (npm) Jun 11, 2026
@grpc/grpc-js: A malformed request can cause a server crash High
CVE-2026-48068 was published for @grpc/grpc-js (npm) Jun 11, 2026
@hapi/inert has a static-file confinement bypass via sibling-prefix path Moderate
CVE-2026-48049 was published for @hapi/inert (npm) Jun 11, 2026
imssm99 Credited to imssm99
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access Moderate
CVE-2026-48121 was published for @langchain/langgraph-checkpoint-mongodb (npm) Jun 12, 2026
Nagendhra-web Credited to Nagendhra-web, etairl, and hntrl etairl etairl
hntrl hntrl
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step Moderate
CVE-2026-48128 was published for budibase (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection High
CVE-2026-48146 was published for @budibase/server (npm) Jun 12, 2026
axel-corsiez Credited to axel-corsiez
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker Moderate
CVE-2026-48147 was published for @budibase/backend-core (npm) Jun 12, 2026
b-hermes Credited to b-hermes
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF Moderate
CVE-2026-48148 was published for @budibase/server (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign Critical
CVE-2026-48150 was published for @budibase/server (npm) Jun 12, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema High
CVE-2026-48151 was published for @budibase/server (npm) Jun 12, 2026
liyander Credited to liyander
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
esbuild allows arbitrary file read when running the development server on Windows Low
GHSA-g7r4-m6w7-qqqr was published for esbuild (npm) Jun 12, 2026
dellalibera Credited to dellalibera
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026 withdrawn
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization Moderate
CVE-2026-44311 was published for fabric (npm) Jun 12, 2026
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning High
CVE-2026-54267 was published for @angular/core (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, AndrewKushnir, alan-agius4, josephperrott, and JeanMeche AndrewKushnir AndrewKushnir
alan-agius4 alan-agius4 josephperrott josephperrott JeanMeche JeanMeche
ws: Memory exhaustion DoS from tiny fragments and data chunks High
CVE-2026-48779 was published for ws (npm) Jun 15, 2026
Nadav0077 Credited to Nadav0077
tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template High
CVE-2026-49982 was published for tmp (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database