GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
2,289 advisories
@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
Moderate
CVE-2026-52725
was published
for
@angular/core
(npm)
Jun 15, 2026
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
Moderate
CVE-2026-50169
was published
for
@angular/service-worker
(npm)
Jun 15, 2026
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
Moderate
CVE-2026-48148
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Moderate
CVE-2026-48147
was published
for
@budibase/backend-core
(npm)
Jun 12, 2026
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
Moderate
CVE-2026-48128
was published
for
budibase
(npm)
Jun 12, 2026
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
Moderate
CVE-2026-48121
was published
for
@langchain/langgraph-checkpoint-mongodb
(npm)
Jun 12, 2026
@hapi/inert has a static-file confinement bypass via sibling-prefix path
Moderate
CVE-2026-48049
was published
for
@hapi/inert
(npm)
Jun 11, 2026
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
Moderate
CVE-2026-48038
was published
for
joi
(npm)
Jun 11, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
Moderate
CVE-2026-48037
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
Moderate
CVE-2026-47721
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
Moderate
CVE-2026-47720
was published
for
fuxa-server
(npm)
Jun 8, 2026
actual Allows Electron to Run As Node
Moderate
CVE-2026-42890
was published
for
actual
(npm)
Jun 8, 2026
NocoDB: OAuth Tokens Persist Through Security Events
Moderate
CVE-2026-53926
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Path Traversal via SQLite Source Filename
Moderate
CVE-2026-47385
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: SQL Injection via Column Title in Bulk GroupBy
Moderate
CVE-2026-47384
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Server-Side Request Forgery via Database Connection Host
Moderate
CVE-2026-47382
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Cross-Workspace Integration Use in Connection Test
Moderate
CVE-2026-47381
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Plaintext Password Comparison in Shared Views
Moderate
CVE-2026-47379
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Hidden Column Exposure in Public Shared View Endpoints
Moderate
CVE-2026-47378
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
Moderate
CVE-2026-47377
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Reflected Cross-Site Scripting via Password Reset Token
Moderate
CVE-2026-47376
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
Moderate
CVE-2026-47375
was published
for
nocodb
(npm)
Jun 5, 2026
ProTip!
Advisories are also available from the
GraphQL API