Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
2,891
Erlang
24
GitHub Actions
39
Go
2,240
Maven
2,698
npm
2,899
NuGet
500
pip
2,728
Pub
5
RubyGems
364
Rust
889
Swift
19
Unreviewed advisories
All unreviewed
5,000+

48 advisories

Loading
In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass High Unreviewed
CVE-2026-33392 was published Apr 17, 2026
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation High
CVE-2026-35044 was published for bentoml (pip) Apr 3, 2026
offset Credited to offset
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment High
CVE-2026-34172 was published for giskard-agents (pip) Mar 27, 2026
kodareef5 Credited to kodareef5
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver High
CVE-2026-33154 was published for dynaconf (pip) Mar 18, 2026
redyank Credited to redyank
RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin High
CVE-2026-32261 was published for craftcms/webhooks (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in... High Unreviewed
CVE-2026-26938 was published Feb 26, 2026
A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/... High Unreviewed
CVE-2025-69516 was published Jan 29, 2026
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE High
CVE-2026-22244 was published for org.open-metadata:platform (Maven) Jan 7, 2026
lnlinh31 Credited to lnlinh31, manerow, TeddyCr, and pmbrull manerow manerow
TeddyCr TeddyCr pmbrull pmbrull
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users High
CVE-2026-21449 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product High
CVE-2026-21448 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto SSTI vulnerability in type parameter can lead to RCE High
CVE-2026-21450 was published for bagisto/bagisto (Composer) Jan 2, 2026
A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify... High Unreviewed
CVE-2025-67843 was published Dec 19, 2025
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method... High Unreviewed
CVE-2025-66437 was published Dec 15, 2025
FoF Pretty Mail has a server-side template injection vulnerability High
CVE-2024-58303 was published for fof/pretty-mail (Composer) Dec 12, 2025
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated... High Unreviewed
CVE-2024-58293 was published Dec 12, 2025
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms High
CVE-2025-66298 was published for getgrav/grav (Composer) Dec 2, 2025
yiannakasgeorge Credited to yiannakasgeorge
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass High
CVE-2025-66294 was published for getgrav/grav (Composer) Dec 2, 2025
nakkouchtarek Credited to nakkouchtarek
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection High
CVE-2025-66297 was published for getgrav/grav (Composer) Dec 2, 2025
p1r0x Credited to p1r0x
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection) High
CVE-2025-66299 was published for getgrav/grav (Composer) Dec 2, 2025
justwove Credited to justwove
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates High
CVE-2025-65106 was published for langchain-core (pip) Nov 20, 2025
0xn3va Credited to 0xn3va
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns High
CVE-2025-54287 was published for github.com/lxc/lxd (Go) Oct 2, 2025
The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to... High Unreviewed
CVE-2025-10380 was published Sep 23, 2025
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock... High Unreviewed
CVE-2025-53194 was published Aug 20, 2025
Skyvern has a Jinja runtime leak High
CVE-2025-49619 was published for skyvern (pip) Jun 7, 2025
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI High
CVE-2025-46731 was published for craftcms/cms (Composer) May 5, 2025
singetu0096 Credited to singetu0096
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database