Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,489 advisories

Loading
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525 and VadlaReddySai VadlaReddySai VadlaReddySai
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget High
CVE-2026-45012 was published for apostrophe (npm) May 14, 2026
yigitsengezer Credited to yigitsengezer and Sainithin0309 Sainithin0309 Sainithin0309
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
@agenticmail/mcp Missing Authentication for Critical Function High
CVE-2026-50287 was published for @agenticmail/mcp (npm) Jun 1, 2026
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover High
CVE-2026-46475 was published for flowise (npm) May 14, 2026
offset Credited to offset
NodeVM network builtin exclusions bypass via internal _http_client and _http_server High
CVE-2026-47139 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain High
CVE-2026-47209 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks High
CVE-2026-47135 was published for vm2 (npm) May 29, 2026
q1uf3ng Credited to q1uf3ng
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement High
CVE-2026-46519 was published for mcp-server-kubernetes (npm) May 21, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape High
CVE-2026-44705 was published for tmp (npm) May 27, 2026
Gyde04 Credited to Gyde04 and MaanVader MaanVader MaanVader
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
August829 Credited to August829
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
August829 Credited to August829
Allocation of Resources Without Limits or Throttling in Axios High
CVE-2026-44488 was published for axios (npm) Jun 4, 2026
asadeddin Credited to asadeddin
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter High
CVE-2026-44487 was published for axios (npm) Jun 4, 2026
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection High
CVE-2026-44486 was published for axios (npm) Jun 4, 2026
ngocnn97 Credited to ngocnn97
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema High
CVE-2026-48151 was published for @budibase/server (npm) Jun 12, 2026
liyander Credited to liyander
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection High
CVE-2026-48146 was published for @budibase/server (npm) Jun 12, 2026
axel-corsiez Credited to axel-corsiez
proxy denial of service vulnerability High
CVE-2023-2968 was published for proxy (npm) May 30, 2023
TheeCryptoChad Credited to TheeCryptoChad
FlowiseAI: Vector Store No Permission Checks High
CVE-2026-46444 was published for flowise (npm) May 14, 2026
Dimpyj1604 Credited to Dimpyj1604
js-libp2p: Memory DoS via subscription flood of unique topics High
CVE-2026-46679 was published for @libp2p/gossipsub (npm) May 21, 2026
tahaafarooq Credited to tahaafarooq
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection High
CVE-2026-46625 was published for js-cookie (npm) May 21, 2026
teebow1e Credited to teebow1e
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes High
CVE-2026-45783 was published for @libp2p/kad-dht (npm) May 19, 2026
tahaafarooq Credited to tahaafarooq
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database