Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

6,388 advisories

Loading
@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies High
GHSA-4xrh-5m3m-328w was published for @hulumi/policies (npm) May 21, 2026
@hulumi/policies: HULUMI-H1 SecureBucket parent spoof bypass High
GHSA-g43v-9x7q-83pq was published for @hulumi/policies (npm) May 21, 2026
@hulumi/drift: Orphan reconciler accepted externally supplied execute plans High
GHSA-2ffm-hxrq-qqmm was published for @hulumi/drift (npm) May 21, 2026
@hulumi/baseline: CloudTrail selector tampering events were not fully detected Moderate
GHSA-gfp8-mp24-5vxg was published for @hulumi/baseline (npm) May 21, 2026
NocoDB: Stale Auth Cache After API Token Deletion Low
CVE-2026-46554 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Attachment Size Limit Bypass via Upload-by-URL Low
CVE-2026-46553 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Shared-base link access can invite arbitrary users as persistent base members Moderate
CVE-2026-46552 was published for nocodb (npm) May 21, 2026
0xmrma Credited to 0xmrma
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion Moderate
CVE-2026-46551 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags Moderate
CVE-2026-46550 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation Low
CVE-2026-46549 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams) Moderate
CVE-2026-46548 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL Moderate
CVE-2026-46547 was published for nocodb (npm) May 21, 2026
naoyashiga Credited to naoyashiga
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement High
CVE-2026-46519 was published for mcp-server-kubernetes (npm) May 21, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
@sveltejs/kit: `query.batch` cross-talk Moderate
GHSA-hgv7-v322-mmgr was published for @sveltejs/kit (npm) May 21, 2026
rafabd1 Credited to rafabd1, elliott-with-the-longest-name-on-github, and dummdidumm elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
dummdidumm dummdidumm
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) High
CVE-2026-46492 was published for md-fileserver (npm) May 21, 2026
kiwi865 Credited to kiwi865
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions High
CVE-2026-46490 was published for samlify (npm) May 21, 2026
RootUp Credited to RootUp
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification Moderate
GHSA-59fh-9f3p-7m39 was published for flowise (npm) May 20, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage Moderate
GHSA-m837-xvxr-vqwg was published for flowise (npm) May 20, 2026
DeathsPirate Credited to DeathsPirate
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) Critical
CVE-2026-46421 was published for @cap-js/db-service (npm) May 20, 2026
patricebender Credited to patricebender and chgeo chgeo chgeo
@angular/platform-server: SSRF via Hostname Hijacking High
CVE-2026-46417 was published for @angular/platform-server (npm) May 19, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, VenkatKwest, and dgp1130 AndrewKushnir AndrewKushnir
VenkatKwest VenkatKwest dgp1130 dgp1130
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm Critical
CVE-2026-46412 was published for @beproduct/nestjs-auth (npm) May 19, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl High
CVE-2026-46372 was published for sillytavern (npm) May 19, 2026
larlarua Credited to larlarua
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes High
CVE-2026-45783 was published for @libp2p/kad-dht (npm) May 19, 2026
tahaafarooq Credited to tahaafarooq
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database