Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,687 advisories

Loading
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, mattiasljungstrom, Wenxin-Jiang, and massif-01 KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom Wenxin-Jiang Wenxin-Jiang massif-01 massif-01
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 Moderate
CVE-2025-67898 was published for mjml (npm) Dec 15, 2025
LambArchie Credited to LambArchie
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) High
CVE-2025-8101 was published for linkifyjs (npm) Jul 26, 2025
saip007 Credited to saip007, caverav, and massif-01 caverav caverav
massif-01 massif-01
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths Moderate
GHSA-5vwr-qchf-q4pf was published for @cyclonedx/cdxgen (npm) Jun 26, 2026
aleff-github Credited to aleff-github
@sigstore/core has DSSE payloadType type-binding failure Moderate
CVE-2026-48758 was published for @sigstore/core (npm) Jun 26, 2026
Str1ckl4nd Credited to Str1ckl4nd and Zyy0530 Zyy0530 Zyy0530
neotoma has tenant isolation gap in relationship query endpoints Low
GHSA-wrr4-782v-jhwh was published for neotoma (npm) Jun 25, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string Critical
CVE-2026-48713 was published for i18next-fs-backend (npm) Jun 25, 2026
codeswhite Credited to codeswhite
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names Critical
CVE-2026-48714 was published for i18next-http-middleware (npm) Jun 25, 2026
codeswhite Credited to codeswhite
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write Moderate
CVE-2026-46406 was published for @anthropic-ai/claude-code (npm) Jun 25, 2026
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass Moderate
CVE-2026-9678 was published for undici (npm) Jun 18, 2026
AndrewMohawk Credited to AndrewMohawk, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR Moderate
CVE-2026-56761 was published for hono (npm) Apr 16, 2026
tndud042713 Credited to tndud042713 and throwersedrickoctauious-del throwersedrickoctauious-del throwersedrickoctauious-del
n8n has a Stored XSS Vulnerability in its Form Trigger Moderate
CVE-2026-56358 was published for n8n (npm) Mar 27, 2026
tr4ce-ju Credited to tr4ce-ju
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes Moderate
CVE-2026-56351 was published for n8n (npm) Feb 26, 2026
Flowise has Insufficient Password Salt Rounds Moderate
CVE-2026-56272 was published for flowise (npm) Mar 5, 2026
kolega-ai-dev Credited to kolega-ai-dev
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request Moderate
CVE-2026-56270 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Weak Default Token Hash Secret Moderate
CVE-2026-56269 was published for flowise (npm) Apr 16, 2026
kolega-ai-dev Credited to kolega-ai-dev
FlowiseDB vulnerable to SQL Injection by authenticated users Moderate
CVE-2025-71332 was published for flowise (npm) Apr 7, 2025
Tribal1012 Credited to Tribal1012
Budibase has nonymous NoSQL operator injection via published-app query templates Critical
CVE-2026-54350 was published for @budibase/server (npm) Jun 23, 2026
kah-ja Credited to kah-ja
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass Moderate
CVE-2026-55602 was published for http-proxy-middleware (npm) Jun 18, 2026
Str1ckl4nd Credited to Str1ckl4nd, Zyy0530, 7thParkk, G-Rath, and ethantkoenig Zyy0530 Zyy0530
7thParkk 7thParkk G-Rath G-Rath ethantkoenig ethantkoenig
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam, keenanwgn, and A7um keenanwgn keenanwgn
A7um A7um
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam, keenanwgn, and A7um keenanwgn keenanwgn
A7um A7um
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing High
GHSA-h5x8-xp6m-x6q4 was published for @jhb.software/payload-cloudinary-plugin (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields Moderate
CVE-2026-50179 was published for @actual-app/web (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database