Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

54 advisories

Loading
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover High
CVE-2026-46480 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover High
CVE-2026-46479 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover High
CVE-2026-46478 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover High
CVE-2026-46477 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover High
CVE-2026-46476 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover High
CVE-2026-46475 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-46441 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment High
CVE-2026-42863 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42862 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42861 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` High
CVE-2026-44635 was published for kysely (npm) May 11, 2026
StarPlatinu Credited to StarPlatinu and igalklebanov igalklebanov igalklebanov
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
CVE-2026-41277 was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Unsafe object property setter in mathjs High
CVE-2026-40897 was published for mathjs (npm) Apr 16, 2026
CykuTW Credited to CykuTW
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association High
CVE-2026-41267 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes High
CVE-2026-41139 was published for mathjs (npm) Apr 10, 2026
CykuTW Credited to CykuTW and marado marado marado
Directus: Path Traversal and Broken Access Control in File Management API High
CVE-2026-39942 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings. High
CVE-2026-34445 was published for onnx (pip) Apr 1, 2026
ZeroXJacks Credited to ZeroXJacks
SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox High
CVE-2026-32640 was published for simpleeval (pip) Mar 13, 2026
ByamB4 Credited to ByamB4 and danthedeckie danthedeckie danthedeckie
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint High
CVE-2026-30822 was published for flowise (npm) Mar 6, 2026
yueyueL Credited to yueyueL
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment High
CVE-2025-15602 was published for snipe/snipe-it (Composer) Mar 6, 2026
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State High
CVE-2026-22814 was published for @adonisjs/lucid (npm) Jan 13, 2026
wodzen Credited to wodzen
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
CVE-2025-70559 was published for pdfminer.six (pip) Nov 7, 2025
sumanrox Credited to sumanrox
Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks High
CVE-2025-30358 was published for mesop (pip) Mar 27, 2025
jackfromeast Credited to jackfromeast and superboy-zjc superboy-zjc superboy-zjc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database