GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
959 advisories
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri
High
CVE-2026-48054
was published
for
@openzeppelin/wizard
(npm)
Jun 11, 2026
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing
High
CVE-2026-47781
was published
for
pdm
(pip)
Jun 11, 2026
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Critical
CVE-2026-8467
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
High
CVE-2026-47722
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
Critical
CVE-2026-47252
was published
for
github.com/julien040/anyquery/plugins/brave
(Go)
Jun 8, 2026
actual Allows Electron to Run As Node
Moderate
CVE-2026-42890
was published
for
actual
(npm)
Jun 8, 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
High
CVE-2026-48017
was published
for
dbgate-api
(npm)
Jun 5, 2026
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Critical
CVE-2026-47668
was published
for
dbgate-serve
(npm)
Jun 5, 2026
browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler
High
CVE-2026-49143
was published
for
browserstack-runner
(npm)
Jun 3, 2026
Docling: Unsafe Playwright-based HTML Rendering
High
CVE-2026-44016
was published
for
docling
(pip)
Jun 3, 2026
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
High
CVE-2026-47398
was published
for
PraisonAI
(pip)
May 29, 2026
amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection
Critical
CVE-2026-8838
was published
for
redshift-connector
(pip)
May 29, 2026
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
High
CVE-2026-44495
was published
for
axios
(npm)
May 29, 2026
compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI)
High
CVE-2026-46439
was published
for
compliance-trestle
(pip)
May 28, 2026
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection
Critical
CVE-2026-46621
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override
Critical
CVE-2026-46562
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
Langroid has Prompt to SQL Injection, Leading to RCE
Critical
CVE-2026-25879
was published
for
langroid
(pip)
May 27, 2026
LiquidJS is Vulnerable to Remote Code Execution
Critical
CVE-2026-45618
was published
for
liquidjs
(npm)
May 27, 2026
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
Critical
CVE-2026-44632
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
High
CVE-2026-43945
was published
for
@frangoteam/fuxa
(npm)
May 26, 2026
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
High
CVE-2026-46640
was published
for
twig/twig
(Composer)
May 21, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
High
CVE-2026-46517
was published
for
lmdeploy
(pip)
May 21, 2026
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
High
CVE-2026-46432
was published
for
lmdeploy
(pip)
May 21, 2026
ProTip!
Advisories are also available from the
GraphQL API