Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

964 advisories

Loading
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution Critical
GHSA-365w-hqf6-vxfg was published for crawl4ai (pip) Jun 16, 2026
August829 Credited to August829
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API Critical
CVE-2026-53753 was published for crawl4ai (pip) Jun 16, 2026
q1uf3ng Credited to q1uf3ng, August829, and ntohidi August829 August829
ntohidi ntohidi
October Rain has Environment Variable Exfiltration via INI Parser Interpolation Moderate
CVE-2026-25125 was published for october/rain (Composer) Apr 14, 2026
daftspunk Credited to daftspunk and mbadanoiu mbadanoiu mbadanoiu
Langflow: Unauthenticated RCE in Shareable Playgrounds Critical
CVE-2026-48519 was published for langflow (pip) Jun 16, 2026
vbCrLf Credited to vbCrLf, Jkavia, andifilhohub, and AntonioABLima Jkavia Jkavia
andifilhohub andifilhohub AntonioABLima AntonioABLima
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution High
CVE-2026-41523 was published for vllm (pip) Jun 16, 2026
pierreolivierbonin Credited to pierreolivierbonin and jperezdealgaba jperezdealgaba jperezdealgaba
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names High
CVE-2026-54271 was published for protobufjs-cli (npm) Jun 15, 2026
JacobBrackett Credited to JacobBrackett and dcodeIO dcodeIO dcodeIO
actual Allows Electron to Run As Node Moderate
CVE-2026-42890 was published for actual (npm) Jun 8, 2026
mustafa-sec Credited to mustafa-sec
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
August829 Credited to August829
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri High
CVE-2026-48054 was published for @openzeppelin/wizard (npm) Jun 11, 2026
232-323 Credited to 232-323 and knm6777 knm6777 knm6777
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground Critical
CVE-2026-8467 was published for phoenix_storybook (Erlang) Jun 9, 2026
maennchen Credited to maennchen, ndelphit, cnkk, and cblavier ndelphit ndelphit
cnkk cnkk cblavier cblavier
Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter High
CVE-2021-47935 was published for sentry (pip) May 10, 2026
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape Critical
CVE-2026-46442 was published for flowise (npm) May 14, 2026
ESPanda666 Credited to ESPanda666
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration High
CVE-2026-41249 was published for coreshop/core-shop (Composer) May 14, 2026
smiotani-aeyesec Credited to smiotani-aeyesec
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
Mermaid: Improper sanitization of configuration leads to CSS injection Moderate
CVE-2026-41159 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files Critical
CVE-2026-45374 was published for deepseek-tui (Rust) May 14, 2026
47Cid Credited to 47Cid
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark Critical
CVE-2026-45058 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval Critical
CVE-2026-45311 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
Mapfish Print: Remote Code Injection (RCE) in Dynamic table Critical
CVE-2026-44672 was published for org.mapfish.print:print-lib (Maven) May 13, 2026
claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh High
CVE-2026-45136 was published for claude-code-cache-fix (npm) May 13, 2026
schuay Credited to schuay
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database