GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,517 advisories
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
High
CVE-2026-48151
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Critical
CVE-2026-48150
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
Moderate
CVE-2026-48148
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Moderate
CVE-2026-48147
was published
for
@budibase/backend-core
(npm)
Jun 12, 2026
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
High
CVE-2026-48146
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
Moderate
CVE-2026-48128
was published
for
budibase
(npm)
Jun 12, 2026
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
Moderate
CVE-2026-48121
was published
for
@langchain/langgraph-checkpoint-mongodb
(npm)
Jun 12, 2026
@hapi/inert has a static-file confinement bypass via sibling-prefix path
Moderate
CVE-2026-48049
was published
for
@hapi/inert
(npm)
Jun 11, 2026
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
Moderate
CVE-2026-48038
was published
for
joi
(npm)
Jun 11, 2026
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri
High
CVE-2026-48054
was published
for
@openzeppelin/wizard
(npm)
Jun 11, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system
Low
CVE-2026-48051
was published
for
@papra/webhooks
(npm)
Jun 10, 2026
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
Moderate
CVE-2026-48037
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts
High
CVE-2026-48036
was published
for
@hulumi/drift
(npm)
Jun 10, 2026
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
High
CVE-2026-48035
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket
High
CVE-2026-48034
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name
High
CVE-2026-48033
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
High
CVE-2026-48032
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
shell-quote quote() does not escape newlines in object .op values
Critical
CVE-2026-9277
was published
for
shell-quote
(npm)
Jun 9, 2026
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
Moderate
CVE-2026-47721
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
Moderate
CVE-2026-47720
was published
for
fuxa-server
(npm)
Jun 8, 2026
ProTip!
Advisories are also available from the
GraphQL API