GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
30,740 advisories
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Critical
CVE-2026-44990
was published
for
sanitize-html
(npm)
May 14, 2026
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
Critical
CVE-2026-47430
was published
for
cordova-plugin-inappbrowser
(npm)
Jun 8, 2026
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Critical
CVE-2026-47140
was published
for
vm2
(npm)
May 29, 2026
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
Critical
CVE-2026-47210
was published
for
vm2
(npm)
May 29, 2026
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
Critical
CVE-2026-47137
was published
for
vm2
(npm)
May 29, 2026
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
Critical
CVE-2026-47208
was published
for
vm2
(npm)
May 29, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Critical
CVE-2026-48150
was published
for
@budibase/server
(npm)
Jun 12, 2026
ProTip!
Advisories are also available from the
GraphQL API