Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

40 advisories

Loading
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF Moderate
CVE-2026-48148 was published for @budibase/server (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step Moderate
CVE-2026-48128 was published for budibase (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Net::IMAP: Denial of Service via incomplete raw argument validation Low
CVE-2026-47241 was published for net-imap (RubyGems) Jun 9, 2026
fg0x0 Credited to fg0x0
NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin Moderate
CVE-2026-47377 was published for nocodb (npm) Jun 5, 2026
fg0x0 Credited to fg0x0
NocoDB: Reflected Cross-Site Scripting via Password Reset Token Moderate
CVE-2026-47376 was published for nocodb (npm) Jun 5, 2026
fg0x0 Credited to fg0x0
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection Moderate
CVE-2026-47122 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta Moderate
CVE-2026-47121 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL High
CVE-2026-45808 was published for github.com/openbao/openbao (Go) May 28, 2026
fg0x0 Credited to fg0x0
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
CVE-2026-48777 was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString High
GHSA-24c8-4792-22hx was published for scriban (NuGet) May 19, 2026
fg0x0 Credited to fg0x0
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
n8n-mcp webhook and API client paths has an authenticated SSRF High
CVE-2026-44694 was published for n8n-mcp (npm) May 8, 2026
fg0x0 Credited to fg0x0
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates Moderate
GHSA-vrqv-52x7-rm4v was published for kimai/kimai (Composer) May 6, 2026
fg0x0 Credited to fg0x0
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0 and 0bi0 0bi0 0bi0
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url Moderate
CVE-2026-41654 was published for weblate (pip) Apr 30, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
wlc: print_html outputs API data without HTML escaping Moderate
CVE-2026-42150 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41203 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41202 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code Moderate
CVE-2026-41206 was published for pyspector (pip) Apr 16, 2026
fg0x0 Credited to fg0x0
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Moderate
CVE-2026-5774 was published for github.com/juju/juju (Go) Apr 10, 2026
fg0x0 Credited to fg0x0, wallyworld, and tlm wallyworld wallyworld
tlm tlm
Vite: `server.fs.deny` bypassed with queries High
CVE-2026-39364 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, ritikchaddha, neo-ai-engineer, instantraaamen, fg0x0, jonathanwd, kq5y, and bluwy ritikchaddha ritikchaddha
neo-ai-engineer neo-ai-engineer instantraaamen instantraaamen fg0x0 fg0x0 jonathanwd jonathanwd kq5y kq5y bluwy bluwy
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) High
CVE-2026-34605 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
fg0x0 Credited to fg0x0
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash High
CVE-2026-34593 was published for ash (Erlang) Apr 1, 2026
fg0x0 Credited to fg0x0 and zachdaniel zachdaniel zachdaniel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database