Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,799 advisories

Loading
OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection Critical
CVE-2026-28370 was published for vitrage (pip) Feb 27, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga Credited to naoyashiga
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130 alan-agius4 alan-agius4
securityMB securityMB AndrewKushnir AndrewKushnir josephperrott josephperrott dgp1130 dgp1130
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method Critical
CVE-2026-27699 was published for basic-ftp (npm) Feb 25, 2026
thecasual Credited to thecasual
n8n: Expression Sandbox Escape Leads to RCE Critical
CVE-2026-27577 was published for n8n (npm) Feb 25, 2026
eilonc-pillar Credited to eilonc-pillar, nil340, ediklab, hackerman70000, and zolbooo nil340 nil340
ediklab ediklab hackerman70000 hackerman70000 zolbooo zolbooo
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Critical
CVE-2026-27575 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk
n8n has Arbitrary Command Execution via File Write and Git Operations Critical
CVE-2026-27498 was published for n8n (npm) Feb 25, 2026
fatihhcelik Credited to fatihhcelik
n8n has Potential Remote Code Execution via Merge Node Critical
CVE-2026-27497 was published for n8n (npm) Feb 25, 2026
allsmog Credited to allsmog and nil340 nil340 nil340
n8n has a Sandbox Escape in its JavaScript Task Runner Critical
CVE-2026-27495 was published for n8n (npm) Feb 25, 2026
c0rydoras Credited to c0rydoras
n8n has Unauthenticated Expression Evaluation via Form Node Critical
CVE-2026-27493 was published for n8n (npm) Feb 25, 2026
eilonc-pillar Credited to eilonc-pillar
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection Critical
CVE-2026-27641 was published for flask-reuploaded (pip) Feb 25, 2026
cjaron03 Credited to cjaron03
Parse Dashboard is Missing Authorization for its Agent Endpoint Critical
CVE-2026-27608 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza and ByamB4 ByamB4 ByamB4
Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) Critical
CVE-2026-27702 was published for budibase (npm) Feb 25, 2026
vicevirus Credited to vicevirus
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 Credited to ByamB4 and mtrezza mtrezza mtrezza
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() Critical
CVE-2026-27728 was published for @oneuptime/common (npm) Feb 25, 2026
dxlerYT Credited to dxlerYT
@enclave-vm/core is vulnerable to Sandbox Escape Critical
CVE-2026-27597 was published for @enclave-vm/core (npm) Feb 25, 2026
c0rydoras Credited to c0rydoras and frontegg-david frontegg-david frontegg-david
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks Critical
CVE-2026-27626 was published for github.com/OliveTin/OliveTin (Go) Feb 25, 2026
ByamB4 Credited to ByamB4
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
Statamic is vulnerable to account takeover via password reset link injection Critical
CVE-2026-27593 was published for statamic/cms (Composer) Feb 24, 2026
Neosprings Credited to Neosprings
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints Critical
CVE-2026-27584 was published for @actual-app/sync-server (npm) Feb 24, 2026
iamsilk Credited to iamsilk
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing Critical
CVE-2025-69985 was published for @frangoteam/fuxa (npm) Feb 24, 2026
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE Critical
CVE-2026-27574 was published for @oneuptime/common (npm) Feb 24, 2026
ByamB4 Credited to ByamB4
ormar is vulnerable to SQL Injection through aggregate functions min() and max() Critical
CVE-2026-26198 was published for ormar (pip) Feb 23, 2026
AAtomical Credited to AAtomical
Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm Critical
CVE-2026-23552 was published for org.apache.camel:camel-keycloak (Maven) Feb 23, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database