Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

193 advisories

Loading
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution Critical
GHSA-365w-hqf6-vxfg was published for crawl4ai (pip) Jun 16, 2026
August829 Credited to August829
NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) Critical
CVE-2026-47731 was published for ait-core (pip) Jun 5, 2026
ehtec Credited to ehtec
DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE Critical
CVE-2026-47669 was published for dbgate (npm) Jun 5, 2026
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
CVE-2026-48777 was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam and A7um A7um A7um
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
Strapi may leak sensitive data via relational filtering due to lack of query sanitization Critical
CVE-2026-27886 was published for @strapi/strapi (npm) May 14, 2026
WildWestCyberSecurity Credited to WildWestCyberSecurity, innerdvations, derrickmehaffy, nclsndr, and Bassel17 innerdvations innerdvations
derrickmehaffy derrickmehaffy nclsndr nclsndr Bassel17 Bassel17
SillyTavern has a Path Traversal issue Critical
CVE-2026-44650 was published for sillytavern (npm) May 12, 2026
ygboy777-alt Credited to ygboy777-alt, Greg-Kim, S4nso, and Mirr2 Greg-Kim Greg-Kim
S4nso S4nso Mirr2 Mirr2
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Electerm runWidget has a path traversal that leads to arbitrary code execution Critical
CVE-2026-43940 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
dash-uploader has a directory traversal vulnerability Critical
CVE-2026-38360 was published for dash-uploader (pip) May 8, 2026
a1ohadance Credited to a1ohadance
Spring Cloud Config vulnerable to Path Traversal Critical
CVE-2026-40982 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
scottfrederick Credited to scottfrederick
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion Critical
CVE-2026-44542 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
Yesuhei Credited to Yesuhei
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
S3-Proxy has Security Issues in its Resource Path Matching Implementation Critical
CVE-2026-42882 was published for github.com/oxyno-zeta/s3-proxy (Go) May 5, 2026
argos83 Credited to argos83
Eclipse BaSyx Java Server SDK vulnerable to Path Traversal Critical
CVE-2026-7411 was published for org.eclipse.basyx:basyx.sdk (Maven) May 5, 2026
Langflow Knowledge Bases API is Vulnerable to Path Traversal Critical
CVE-2026-42048 was published for langflow (pip) May 5, 2026
ddlxstudio Credited to ddlxstudio, nekros1xx, AntonioABLima, Cristhianzl, and andifilhohub nekros1xx nekros1xx
AntonioABLima AntonioABLima Cristhianzl Cristhianzl andifilhohub andifilhohub
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip) Critical
CVE-2026-40076 was published for org.openmrs.web:openmrs-web (Maven) May 4, 2026
Arron-bit Credited to Arron-bit
Shopizer has a path traversal issue Critical
CVE-2026-36767 was published for com.shopizer:shopizer (Maven) Apr 30, 2026
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41203 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41202 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
CVE-2026-41589 was published for charm.land/wish/v2 (Go) Apr 18, 2026
evnsh Credited to evnsh, andreynering, and aymanbagabas andreynering andreynering
aymanbagabas aymanbagabas
excel-mcp-server has a Path Traversal issue Critical
CVE-2026-40576 was published for excel-mcp-server (pip) Apr 14, 2026
hits313 Credited to hits313
Daptin has Unauthenticated Path Traversal and Zip Slip Critical
GHSA-9cp7-j3f8-p5jx was published for github.com/daptin/daptin (Go) Apr 10, 2026
gramps-webapi: Zip Slip Path Traversal in Media Archive Import Critical
CVE-2026-40258 was published for gramps-webapi (pip) Apr 10, 2026
srisowmya2000 Credited to srisowmya2000
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database