Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

636 advisories

Loading
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking High
CVE-2026-44249 was published for io.netty:netty-handler (Maven) Jun 8, 2026
violetagg Credited to violetagg
Improper Access Control in vantage6 node Moderate
GHSA-x9f6-9rvm-mmrg was published for vantage6 (pip) Jun 5, 2026
NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints Moderate
CVE-2026-47279 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction High
CVE-2026-47261 was published for wasmtime-wasi (Rust) Jun 5, 2026
shumbo Credited to shumbo
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership High
CVE-2026-47405 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID High
CVE-2026-47399 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset Critical
CVE-2026-47396 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` Moderate
CVE-2026-47200 was published for @nuxt/nitro-server (npm) May 29, 2026
rmtsixq Credited to rmtsixq
OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd High
CVE-2026-44730 was published for pycti (pip) May 28, 2026
Wachizungu Credited to Wachizungu
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection High
CVE-2026-43945 was published for @frangoteam/fuxa (npm) May 26, 2026
ud444ng Credited to ud444ng
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam and A7um A7um A7um
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators Critical
GHSA-q2f7-m237-v562 was published for @hulumi/policies (npm) May 21, 2026
@hulumi/policies: HULUMI-H1 SecureBucket parent spoof bypass High
GHSA-g43v-9x7q-83pq was published for @hulumi/policies (npm) May 21, 2026
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger Critical
CVE-2026-46614 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks Moderate
CVE-2026-2734 was published for mlflow (pip) May 21, 2026
Caddy Defender trusted proxy client IP bypass High
CVE-2026-46415 was published for pkg.jsn.cam/caddy-defender (Go) May 19, 2026
JasonLovesDoggo Credited to JasonLovesDoggo
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` Moderate
CVE-2026-46337 was published for WWBN/AVideo (Composer) May 19, 2026
pr3ungdt Credited to pr3ungdt
Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass Moderate
CVE-2026-37979 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete High
CVE-2026-45707 was published for n8n-mcp (npm) May 18, 2026
u-ktdi Credited to u-ktdi
Sulu: Used API Keys may be available via Admin API Low
GHSA-9m6v-8fxc-4r44 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, and alexander-schranz mamazu mamazu
alexander-schranz alexander-schranz
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file High
CVE-2026-45301 was published for open-webui (pip) May 14, 2026
vi11ain Credited to vi11ain
wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API High
CVE-2026-43977 was published for wger (pip) May 14, 2026
KadirArslan Credited to KadirArslan
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-46441 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database