Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

5,300 advisories

Loading
protobuf.js: Code injection in pbjs static output from crafted schema names High
CVE-2026-44295 was published for protobufjs-cli (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Code injection through bytes field defaults in generated toObject code High
CVE-2026-44293 was published for protobufjs (npm) May 12, 2026
mbaraniak-exodus Credited to mbaraniak-exodus and dcodeIO dcodeIO dcodeIO
protobuf.js: Code generation gadget after prototype pollution High
CVE-2026-44291 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP... Moderate Unreviewed
CVE-2026-40129 was published May 12, 2026
An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the... High Unreviewed
CVE-2026-37630 was published May 11, 2026
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
Mermaid: Improper sanitization of configuration leads to CSS injection Moderate
CVE-2026-41159 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection Moderate
CVE-2026-41149 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection Moderate
CVE-2026-41148 was published for mermaid (npm) May 11, 2026
matejsmycka Credited to matejsmycka and aloisklink aloisklink aloisklink
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure... Moderate Unreviewed
CVE-2026-31252 was published May 11, 2026
flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism High
CVE-2026-31253 was published for flash_attn (pip) May 11, 2026
Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043) High
CVE-2026-44346 was published for bentoml (pip) May 11, 2026
SSJCorpSec Credited to SSJCorpSec
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated... High Unreviewed
CVE-2021-47939 was published May 10, 2026
Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to... High Unreviewed
CVE-2022-50944 was published May 10, 2026
Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter High
CVE-2021-47935 was published for sentry (pip) May 10, 2026
ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative... High Unreviewed
CVE-2021-47938 was published May 10, 2026
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows... High Unreviewed
CVE-2026-29202 was published May 8, 2026
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input High
CVE-2026-44728 was published for @babel/plugin-transform-modules-systemjs (npm) May 8, 2026
JLHwung Credited to JLHwung, daniel-msft, and nicolo-ribaudo daniel-msft daniel-msft
nicolo-ribaudo nicolo-ribaudo
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Account users are allowed by default to register templates to be downloaded directly to the... Moderate Unreviewed
CVE-2026-25077 was published May 8, 2026
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE... Critical Unreviewed
CVE-2025-67887 was published May 8, 2026
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images Moderate
CVE-2026-42879 was published for facturascripts/facturascripts (Composer) May 7, 2026
guzrex Credited to guzrex
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content... Critical Unreviewed
CVE-2026-36458 was published May 7, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database