Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

125,465 advisories

Loading
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the... High Unreviewed
CVE-2026-8657 was published May 16, 2026
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the... High Unreviewed
CVE-2026-8696 was published May 15, 2026
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated... High Unreviewed
CVE-2021-47964 was published May 15, 2026
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in... High Unreviewed
CVE-2021-47966 was published May 15, 2026
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows... High Unreviewed
CVE-2021-47959 was published May 15, 2026
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that... High Unreviewed
CVE-2026-46359 was published May 15, 2026
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId... High Unreviewed
CVE-2026-46366 was published May 15, 2026
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl()... High Unreviewed
CVE-2026-46367 was published May 15, 2026
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client High
CVE-2026-45575 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that... High Unreviewed
CVE-2026-8695 was published May 15, 2026
Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x... High Unreviewed
CVE-2026-35194 was published May 15, 2026
epa4all-client: TLS Certificate Validation Disabled in Production High
CVE-2026-45574 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion High
CVE-2026-46491 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
kamil-sawicki Credited to kamil-sawicki
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL High
CVE-2026-45717 was published for @budibase/server (npm) May 15, 2026
komyunghan Credited to komyunghan
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration High
CVE-2026-45715 was published for @budibase/server (npm) May 15, 2026
sajdakabir Credited to sajdakabir
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation High
CVE-2026-45548 was published for @budibase/server (npm) May 15, 2026
morimori-dev Credited to morimori-dev
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation High
CVE-2026-45364 was published for better-auth (npm) May 15, 2026
nexryai Credited to nexryai
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request High
GHSA-mxg3-432p-mr72 was published for goshs.de/goshs/v2 (Go) May 15, 2026
offset Credited to offset
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator High
CVE-2026-44716 was published for pipecat-ai (pip) May 15, 2026
AAtomical Credited to AAtomical
NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class High
CVE-2026-41147 was published for nukeviet/nukeviet (Composer) May 15, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and johnwalker189 johnwalker189 johnwalker189
nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT High
CVE-2026-40092 was published for nimiq-keys (Rust) May 15, 2026
Piravlos Credited to Piravlos
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database