Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,421 advisories

Loading
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint High
CVE-2026-48527 was published for @haxtheweb/haxcms-nodejs (npm) May 29, 2026
kn1ph Credited to kn1ph
FUXA provides guest and invalid-token access to protected read APIs in secure mode Moderate
CVE-2026-47718 was published for fuxa-server (npm) May 28, 2026
north-echo Credited to north-echo
Shamefile has an arbitrary file read via shamefile.yaml in shame next Moderate
CVE-2026-47144 was published for shamefile (npm) May 28, 2026
BKDDFS Credited to BKDDFS
FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations High
CVE-2026-47717 was published for fuxa-server (npm) May 27, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani
LiquidJS is Vulnerable to Remote Code Execution Critical
CVE-2026-45618 was published for liquidjs (npm) May 27, 2026
c0rydoras Credited to c0rydoras
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex High
CVE-2026-45617 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) High
CVE-2026-45357 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects Moderate
CVE-2026-44979 was published for @hapi/wreck (npm) May 27, 2026
gasbugs Credited to gasbugs
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters High
CVE-2026-44974 was published for @hapi/content (npm) May 27, 2026
threalwinky Credited to threalwinky
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape High
CVE-2026-44705 was published for tmp (npm) May 27, 2026
Gyde04 Credited to Gyde04 and MaanVader MaanVader MaanVader
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` Moderate
CVE-2026-44646 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body Moderate
CVE-2026-44645 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS Moderate
CVE-2026-44644 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass High
CVE-2026-43947 was published for fuxa-server (npm) May 26, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue High
CVE-2026-43946 was published for fuxa-server (npm) May 26, 2026
anyzy2003 Credited to anyzy2003
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection High
CVE-2026-43945 was published for @frangoteam/fuxa (npm) May 26, 2026
ud444ng Credited to ud444ng
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring High
CVE-2026-42462 was published for @fedify/fedify (npm) May 26, 2026
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation High
CVE-2026-42089 was published for yeoman-environment (npm) May 26, 2026
mshima Credited to mshima, UlisesGascon, and 0xmrma UlisesGascon UlisesGascon
0xmrma 0xmrma
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS Moderate
CVE-2026-26028 was published for cryptpad (npm) May 26, 2026
ixSly Credited to ixSly
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers Moderate
CVE-2026-39964 was published for @typebot.io/js (npm) May 26, 2026
morimori-dev Credited to morimori-dev
Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview High
CVE-2026-28445 was published for @typebot.io/js (npm) May 26, 2026
bugbunny-research Credited to bugbunny-research
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set Moderate
CVE-2026-8723 was published for qs (npm) May 22, 2026
joannalange Credited to joannalange and ljharb ljharb ljharb
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret High
CVE-2026-46701 was published for network-ai (npm) May 21, 2026
232-323 Credited to 232-323 and min8282 min8282 min8282
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database