Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,270 advisories

Loading
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
CVE-2026-48777 was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam and A7um A7um A7um
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam and A7um A7um A7um
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators Critical
GHSA-q2f7-m237-v562 was published for @hulumi/policies (npm) May 21, 2026
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger Critical
CVE-2026-46614 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) Critical
CVE-2026-46421 was published for @cap-js/db-service (npm) May 20, 2026
patricebender Credited to patricebender and chgeo chgeo chgeo
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm Critical
CVE-2026-46412 was published for @beproduct/nestjs-auth (npm) May 19, 2026
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft Critical
CVE-2026-46354 was published for github.com/coder/coder (Go) May 19, 2026
bencalif Credited to bencalif
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path Critical
GHSA-g53w-w6mj-hrpp was published for github.com/Kuadrant/mcp-gateway (Go) May 19, 2026
Bhuvanesh66 Credited to Bhuvanesh66
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes Critical
CVE-2026-46339 was published for 9router (npm) May 19, 2026
sondt99 Credited to sondt99
Kopia: RCE via SSH ProxyCommand Injection Critical
CVE-2026-45695 was published for github.com/kopia/kopia (Go) May 19, 2026
berardinellidaniele Credited to berardinellidaniele
APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization Critical
CVE-2026-31072 was published for apscheduler (pip) May 19, 2026
Malicious code in guardrails-ai 0.10.1 (supply chain compromise) Critical
CVE-2026-45758 was published for guardrails-ai (pip) May 19, 2026
GlassFish's gadget handler is vulnerable to RCE Critical
CVE-2026-2587 was published for org.glassfish.jsftemplating:jsftemplating (Maven) May 19, 2026
GlassFish's Administration Console is Vulnerable to RCE Critical
CVE-2026-2586 was published for org.glassfish.jsftemplating:jsftemplating (Maven) May 19, 2026
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering Critical
CVE-2026-47323 was published for org.apache.camel:camel-cxf-rest (Maven) May 19, 2026
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
HAXcms: Private Key Disclosure via Broken HMAC Implementation Critical
CVE-2026-46395 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
shreyas-challa Credited to shreyas-challa
Algernon: handler.lua discovery walks parent directories above the server root Critical
CVE-2026-45721 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Malware in @opensearch-project/opensearch Critical
GHSA-27f5-xjrr-q9ff was published for @opensearch-project/opensearch (npm) May 19, 2026
MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution Critical
CVE-2026-2611 was published for mlflow (pip) May 19, 2026
ChromaDB Python project has a pre-authentication code injection vulnerability Critical
CVE-2026-45829 was published for chromadb (pip) May 18, 2026
Malicious dropper in mistralai 2.4.6 PyPI package Critical
GHSA-wx9m-wx4f-4cmg was published for mistralai (pip) May 18, 2026
nullcharb Credited to nullcharb
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database