Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

5,300 advisories

Loading
actual Allows Electron to Run As Node Moderate
CVE-2026-42890 was published for actual (npm) Jun 8, 2026
mustafa-sec Credited to mustafa-sec
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
August829 Credited to August829
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows... Critical Unreviewed
CVE-2026-45833 was published Jun 12, 2026
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri High
CVE-2026-48054 was published for @openzeppelin/wizard (npm) Jun 11, 2026
232-323 Credited to 232-323 and knm6777 knm6777 knm6777
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a... Unknown Unreviewed
CVE-2026-50223 was published Jun 11, 2026
Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated... Moderate Unreviewed
CVE-2026-0414 was published Jun 9, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground Critical
CVE-2026-8467 was published for phoenix_storybook (Erlang) Jun 9, 2026
maennchen Credited to maennchen, ndelphit, cnkk, and cblavier ndelphit ndelphit
cnkk cnkk cblavier cblavier
Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter High
CVE-2021-47935 was published for sentry (pip) May 10, 2026
Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an... High Unreviewed
CVE-2026-47292 was published Jun 9, 2026
Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an... High Unreviewed
CVE-2026-45583 was published Jun 9, 2026
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that... Critical Unreviewed
CVE-2017-20251 was published Jun 9, 2026
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape Critical
CVE-2026-46442 was published for flowise (npm) May 14, 2026
ESPanda666 Credited to ESPanda666
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration High
CVE-2026-41249 was published for coreshop/core-shop (Composer) May 14, 2026
smiotani-aeyesec Credited to smiotani-aeyesec
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
Mermaid: Improper sanitization of configuration leads to CSS injection Moderate
CVE-2026-41159 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files Critical
CVE-2026-45374 was published for deepseek-tui (Rust) May 14, 2026
47Cid Credited to 47Cid
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark Critical
CVE-2026-45058 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval Critical
CVE-2026-45311 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.103 allowed a remote... High Unreviewed
CVE-2026-11688 was published Jun 9, 2026
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
Mapfish Print: Remote Code Injection (RCE) in Dynamic table Critical
CVE-2026-44672 was published for org.mapfish.print:print-lib (Maven) May 13, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database