Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,270 advisories

Loading
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation Critical
CVE-2026-27478 was published for io.unitycatalog:unitycatalog-server (Maven) May 11, 2026
lukas-reining Credited to lukas-reining
WebdriverIO BrowserStack Service has a Command Injection issue Critical
CVE-2026-25244 was published for @wdio/browserstack-service (npm) May 11, 2026
hayageek Credited to hayageek
torrentpier has PHP Serialize Injections Critical
GHSA-h29g-c9cx-c73q was published for torrentpier/torrentpier (Composer) May 11, 2026
PhpSecure Credited to PhpSecure
Angular Expressions - Remote Code Execution using filters Critical
CVE-2026-44643 was published for angular-expressions (npm) May 11, 2026
CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE Critical
CVE-2026-44477 was published for github.com/cloudnative-pg/cloudnative-pg (Go) May 11, 2026
mdisec Credited to mdisec
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module Critical
GHSA-v6wj-c83f-v46x was published for @profullstack/mcp-server (npm) May 9, 2026
232-323 Credited to 232-323
Snipe-IT has insecure permissions in file uploads Critical
CVE-2026-37709 was published for snipe/snipe-it (Composer) May 8, 2026
0xAspros Credited to 0xAspros
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions Critical
CVE-2026-44330 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers Critical
CVE-2026-44329 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler Critical
CVE-2026-44327 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions Critical
CVE-2026-44326 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions Critical
CVE-2026-44315 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability Critical
CVE-2026-44211 was published for cline (npm) May 8, 2026
sagilayani Credited to sagilayani
Open WebUI has an LDAP Empty Password Authentication Bypass Critical
CVE-2026-44551 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Electerm runWidget has a path traversal that leads to arbitrary code execution Critical
CVE-2026-43940 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
dash-uploader has a directory traversal vulnerability Critical
CVE-2026-38360 was published for dash-uploader (pip) May 8, 2026
a1ohadance Credited to a1ohadance
Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output Critical
GHSA-pvmv-cwg8-v6c8 was published for zebra-script (Rust) May 8, 2026
sangsoo-osec Credited to sangsoo-osec and fivelittleducks fivelittleducks fivelittleducks
PrestaShop has a stored XSS executable in customer service view Critical
CVE-2026-44212 was published for prestashop/prestashop (Composer) May 8, 2026
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
vm2 has Sandbox Breakout Through Null Proto Exception Critical
CVE-2026-44009 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch` Critical
CVE-2026-44008 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database