Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,521 advisories

Loading
@angular/platform-server: SSRF via Hostname Hijacking High
CVE-2026-46417 was published for @angular/platform-server (npm) May 19, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, VenkatKwest, and dgp1130 AndrewKushnir AndrewKushnir
VenkatKwest VenkatKwest dgp1130 dgp1130
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl High
CVE-2026-46372 was published for sillytavern (npm) May 19, 2026
larlarua Credited to larlarua
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes High
CVE-2026-45783 was published for @libp2p/kad-dht (npm) May 19, 2026
tahaafarooq Credited to tahaafarooq
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE High
CVE-2026-45805 was published for @penpot/mcp (npm) May 19, 2026
AyushParkara Credited to AyushParkara and overgrowncarrot1 overgrowncarrot1 overgrowncarrot1
Budibase: Unrestricted Upload of File with Dangerous Type High
CVE-2026-46426 was published for budibase (npm) May 19, 2026
da7om85 Credited to da7om85
auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs High
GHSA-hv85-774v-26fg was published for auth-fetch-mcp (npm) May 19, 2026
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack High
CVE-2026-46511 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover High
CVE-2026-46396 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis High
CVE-2026-46391 was published for @haxtheweb/open-apis (npm) May 19, 2026
bradyjmcl Credited to bradyjmcl
HAXcms createSite SSRF Enables Arbitrary File Read High
CVE-2026-46393 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
wsparks-vc Credited to wsparks-vc and d6fault d6fault d6fault
Summarize contains a path traversal vulnerability High
CVE-2026-45242 was published for @steipete/summarize (npm) May 18, 2026
ngrok is Vulnerable to Command Injection High
CVE-2025-57282 was published for ngrok (npm) May 18, 2026
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration High
CVE-2026-45716 was published for @budibase/worker (npm) May 18, 2026
offset Credited to offset
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete High
CVE-2026-45707 was published for n8n-mcp (npm) May 18, 2026
u-ktdi Credited to u-ktdi
multiparty vulnerable to ReDoS via filename parsing High
CVE-2026-8159 was published for multiparty (npm) May 18, 2026
aszx87410 Credited to aszx87410, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing High
CVE-2026-8162 was published for multiparty (npm) May 18, 2026
ByamB4 Credited to ByamB4, bjohansebas, blakeembrey, and UlisesGascon bjohansebas bjohansebas
blakeembrey blakeembrey UlisesGascon UlisesGascon
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception High
CVE-2026-8161 was published for multiparty (npm) May 18, 2026
Ser0n-ath Credited to Ser0n-ath, bjohansebas, kq5y, ByamB4, blakeembrey, ljharb, and UlisesGascon bjohansebas bjohansebas
kq5y kq5y ByamB4 ByamB4 blakeembrey blakeembrey ljharb ljharb UlisesGascon UlisesGascon
@tmlmobilidade/utils has prototype pollution in its setValueAtPath High
CVE-2026-45325 was published for @tmlmobilidade/utils (npm) May 18, 2026
0xBassia Credited to 0xBassia
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names High
CVE-2026-45302 was published for parse-nested-form-data (npm) May 18, 2026
0xBassia Credited to 0xBassia
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys High
CVE-2026-46510 was published for form-data-objectizer (npm) May 18, 2026
0xBassia Credited to 0xBassia
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL High
CVE-2026-45717 was published for @budibase/server (npm) May 15, 2026
komyunghan Credited to komyunghan
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration High
CVE-2026-45715 was published for @budibase/server (npm) May 15, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation High
CVE-2026-45548 was published for @budibase/server (npm) May 15, 2026
morimori-dev Credited to morimori-dev
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database