Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

11,179 advisories

Loading
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection High
CVE-2026-54090 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 12, 2026
RajChowdhury240 Credited to RajChowdhury240
Jenkins: Stored XSS vulnerability in node offline cause description High
CVE-2026-53441 was published for org.jenkins-ci.main:jenkins-core (Maven) Jun 10, 2026
lohitkolluri Credited to lohitkolluri
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525 and VadlaReddySai VadlaReddySai VadlaReddySai
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget High
CVE-2026-45012 was published for apostrophe (npm) May 14, 2026
yigitsengezer Credited to yigitsengezer and Sainithin0309 Sainithin0309 Sainithin0309
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
@agenticmail/mcp Missing Authentication for Critical Function High
CVE-2026-50287 was published for @agenticmail/mcp (npm) Jun 1, 2026
Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs High
CVE-2026-47260 was published for phanan/koel (Composer) May 29, 2026
EndlssNightmare Credited to EndlssNightmare
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
File Browser has incorrect access control for public directory shares via rule path rebasing High
CVE-2026-54091 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
File Browser has a DoS Vulnerability via Public Login API High
CVE-2026-54092 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
AshrafIbrahim03 Credited to AshrafIbrahim03
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization High
CVE-2026-41731 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
oscerd Credited to oscerd
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path High
CVE-2026-54096 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
quart27219 Credited to quart27219, kimdu0, and hacdias kimdu0 kimdu0
hacdias hacdias
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix High
CVE-2026-54097 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
wooseokdotkim Credited to wooseokdotkim and hacdias hacdias hacdias
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs) High
CVE-2026-53999 was published for github.com/radius-project/radius (Go) Jun 12, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-11607 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS: Destructive Actions on File Mount Folders High
CVE-2026-47343 was published for typo3/cms-core (Composer) Jun 12, 2026
PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators High
GHSA-36hh-v3qg-5jq4 was published for pyo3 (Rust) Jun 12, 2026
TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework High
CVE-2026-49741 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-47346 was published for typo3/cms-core (Composer) Jun 12, 2026
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion High
CVE-2026-48059 was published for io.netty:netty-codec-haproxy (Maven) Jun 11, 2026
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator High
CVE-2026-48006 was published for io.netty:netty-codec-redis (Maven) Jun 11, 2026
Netty has Insufficient Bailiwick Validation for NS Records High
CVE-2026-47691 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover High
CVE-2026-46475 was published for flowise (npm) May 14, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database