Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

71 advisories

Loading
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes Moderate
CVE-2026-42592 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes Moderate
CVE-2026-42593 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine High
CVE-2026-42594 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
zrok copy writes attacker-controlled WebDAV paths outside the destination root High
CVE-2026-45576 was published for github.com/openziti/zrok (Go) May 19, 2026
aisafe-bot Credited to aisafe-bot
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts Moderate
CVE-2026-44176 was published for getkirby/cms (Composer) May 26, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint High
CVE-2026-42342 was published for @remix-run/server-runtime (npm) Jun 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading High
CVE-2026-47719 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString Moderate
CVE-2026-47720 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions Moderate
CVE-2026-47721 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Private Lemmy instances expose multi-community metadata without authentication Moderate
GHSA-jmxc-hhwx-gvv3 was published for lemmy_api (Rust) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Lemmy may expose private community data through community, saved, liked, and modlog API views Moderate
GHSA-95q8-x6r6-672m was published for lemmy_api (Rust) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
CVE-2026-46364 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
CVE-2026-46366 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
CVE-2026-45010 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins Moderate
CVE-2026-45008 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields High
CVE-2026-46359 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal High
CVE-2026-45348 was published for pyload-ng (pip) May 14, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Weblate: Stored HTML injection in editor search preview Moderate
CVE-2026-45106 was published for weblate (pip) May 15, 2026
adrgs Credited to adrgs, aisafe-bot, nijel, and KarenKonou aisafe-bot aisafe-bot
nijel nijel KarenKonou KarenKonou
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign Critical
CVE-2026-48150 was published for @budibase/server (npm) Jun 12, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database