Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,820 advisories

Loading
MantisBT has Stored XSS on Move Attachments Admin Page High
CVE-2026-44655 was published for mantisbt/mantisbt (Composer) May 11, 2026
dregad Credited to dregad
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` High
CVE-2026-44635 was published for kysely (npm) May 11, 2026
StarPlatinu Credited to StarPlatinu and igalklebanov igalklebanov igalklebanov
MantisBT has a Private Bugnote Attachment Content Leak via REST API High
CVE-2026-42071 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, dregad, and siunam321 TristanInSec TristanInSec
dregad dregad siunam321 siunam321
MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column High
CVE-2026-40607 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT has a Content Security Policy bypass via attachments High
CVE-2026-40597 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference High
CVE-2026-40596 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
Yii 2: Local file inclusion via view parameter name collision High
CVE-2026-39850 was published for yiisoft/yii2 (Composer) May 11, 2026
khuroohamid Credited to khuroohamid
MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form High
CVE-2026-34463 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, dregad, and siunam321 dregad dregad
siunam321 siunam321
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up High
CVE-2026-45109 was published for next (npm) May 11, 2026
Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) High
CVE-2026-45061 was published for budibase (npm) May 11, 2026
jeongbeannnn Credited to jeongbeannnn
Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding High
CVE-2026-45047 was published for github.com/xddxdd/bird-lg-go (Go) May 11, 2026
9Bakabaka Credited to 9Bakabaka
LiteLLM has a sandbox escape in custom-code guardrail High
CVE-2026-40217 was published for litellm (pip) May 11, 2026
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor High
CVE-2026-45033 was published for @github/copilot (npm) May 11, 2026
Local Path Provisioner Vulnerable to HelperPod Template Injection High
CVE-2026-44543 was published for github.com/rancher/local-path-provisioner (Go) May 11, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL) High
CVE-2026-44521 was published for studio-42/elfinder (Composer) May 11, 2026
elulq Credited to elulq
Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer High
CVE-2026-44516 was published for com.ritense.valtimo:web (Maven) May 11, 2026
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function High
GHSA-mhwj-73qx-jqxm was published for @theecryptochad/merge-guard (npm) May 11, 2026
TheeCryptoChad Credited to TheeCryptoChad
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data) High
CVE-2026-44483 was published for @rvf/set-get (npm) May 11, 2026
0xBassia Credited to 0xBassia
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components High
CVE-2026-44579 was published for next (npm) May 11, 2026
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades High
CVE-2026-44578 was published for next (npm) May 11, 2026
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes High
CVE-2026-44575 was published for next (npm) May 11, 2026
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection High
CVE-2026-44574 was published for next (npm) May 11, 2026
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n High
CVE-2026-44573 was published for next (npm) May 11, 2026
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse High
CVE-2026-44473 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
python-liquid: Absolute paths escape filesystem loader search path High
CVE-2026-45017 was published for python-liquid (pip) May 11, 2026
0xHunSec Credited to 0xHunSec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database