GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
4,270 advisories
Formie: Pre-authenticated server-side template injection in Hidden fields
Critical
CVE-2026-45697
was published
for
verbb/formie
(Composer)
May 18, 2026
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
Critical
CVE-2026-45625
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
May 18, 2026
vm2 Has a Sandbox Breakout Using Async Generator
Critical
CVE-2026-45411
was published
for
vm2
(npm)
May 14, 2026
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
Critical
CVE-2026-45369
was published
for
utcp-cli
(pip)
May 14, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Critical
GHSA-wf8q-wvv8-p8jf
was published
for
@samanhappy/mcphub
(npm)
May 14, 2026
Electerm Local code through electerm's single-instance socket
Critical
CVE-2026-45353
was published
for
electerm
(npm)
May 14, 2026
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
Critical
CVE-2026-45374
was published
for
deepseek-tui
(Rust)
May 14, 2026
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval
Critical
CVE-2026-45311
was published
for
deepseek-tui
(npm)
May 14, 2026
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark
Critical
CVE-2026-45058
was published
for
electerm
(npm)
May 14, 2026
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Critical
CVE-2026-44990
was published
for
sanitize-html
(npm)
May 14, 2026
Portainer has an endpoint security bypass via Swarm service create/update
Critical
CVE-2026-44849
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
Portainer missing authorization on Docker plugin endpoints, which allows host RCE
Critical
CVE-2026-44848
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
n8n Has an XML Node Prototype Pollution Patch Bypass
Critical
CVE-2026-44791
was published
for
n8n
(npm)
May 14, 2026
n8n Has an Arbitrary File Read via Git Node
Critical
CVE-2026-44790
was published
for
n8n
(npm)
May 14, 2026
n8n: HTTP Request Node Pagination Prototype Pollution to RCE
Critical
CVE-2026-44789
was published
for
n8n
(npm)
May 14, 2026
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Critical
CVE-2026-46442
was published
for
flowise
(npm)
May 14, 2026
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Critical
CVE-2026-27886
was published
for
@strapi/strapi
(npm)
May 14, 2026
Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading
Critical
CVE-2026-8178
was published
for
com.amazon.redshift:redshift-jdbc42
(Maven)
May 14, 2026
ProTip!
Advisories are also available from the
GraphQL API