GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
2,237 advisories
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
Moderate
CVE-2026-48148
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Moderate
CVE-2026-48147
was published
for
@budibase/backend-core
(npm)
Jun 12, 2026
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
Moderate
CVE-2026-48128
was published
for
budibase
(npm)
Jun 12, 2026
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
Moderate
CVE-2026-48121
was published
for
@langchain/langgraph-checkpoint-mongodb
(npm)
Jun 12, 2026
@hapi/inert has a static-file confinement bypass via sibling-prefix path
Moderate
CVE-2026-48049
was published
for
@hapi/inert
(npm)
Jun 11, 2026
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
Moderate
CVE-2026-48038
was published
for
joi
(npm)
Jun 11, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
Moderate
CVE-2026-48037
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
Moderate
CVE-2026-47721
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
Moderate
CVE-2026-47720
was published
for
fuxa-server
(npm)
Jun 8, 2026
actual Allows Electron to Run As Node
Moderate
CVE-2026-42890
was published
for
actual
(npm)
Jun 8, 2026
NocoDB: OAuth Tokens Persist Through Security Events
Moderate
CVE-2026-53926
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Path Traversal via SQLite Source Filename
Moderate
CVE-2026-47385
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: SQL Injection via Column Title in Bulk GroupBy
Moderate
CVE-2026-47384
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Server-Side Request Forgery via Database Connection Host
Moderate
CVE-2026-47382
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Cross-Workspace Integration Use in Connection Test
Moderate
CVE-2026-47381
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Plaintext Password Comparison in Shared Views
Moderate
CVE-2026-47379
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Hidden Column Exposure in Public Shared View Endpoints
Moderate
CVE-2026-47378
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
Moderate
CVE-2026-47377
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Reflected Cross-Site Scripting via Password Reset Token
Moderate
CVE-2026-47376
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
Moderate
CVE-2026-47375
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
Moderate
CVE-2026-47279
was published
for
nocodb
(npm)
Jun 5, 2026
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
Moderate
CVE-2026-47250
was published
for
mcp-server-kubernetes
(npm)
Jun 5, 2026
ProTip!
Advisories are also available from the
GraphQL API