Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

145 advisories

Loading
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables Moderate
CVE-2026-55374 was published for jleehr/canto-saas-api (Composer) Jun 19, 2026
jleehr Credited to jleehr
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token Moderate
CVE-2026-47256 was published for github.com/open-telemetry/opentelemetry-collector-contrib/exporter/sentryexporter (Go) Jun 18, 2026
brodmart Credited to brodmart
nicolas-grekas Credited to nicolas-grekas and 0xEr3n 0xEr3n 0xEr3n
hermes-agent has an Injection issue Moderate
CVE-2026-9366 was published for hermes-agent (pip) May 26, 2026
hermes-agent has an Injection issue Moderate
CVE-2026-9353 was published for hermes-agent (pip) May 26, 2026
org.linlinjava:litemall-wx-api has an Injection issue Moderate
CVE-2026-8771 was published for org.linlinjava:litemall-wx-api (Maven) May 18, 2026
Hono has CSS Declaration Injection via Style Object Values in JSX SSR Moderate
CVE-2026-44458 was published for hono (npm) May 9, 2026
Gayang2902 Credited to Gayang2902
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection Moderate
CVE-2026-44455 was published for hono (npm) May 6, 2026
TarPeg007 Credited to TarPeg007
SGLang has an Improper Input Validation/Injection Issue Moderate
CVE-2026-7669 was published for sglang (pip) May 3, 2026
sqlite-mcp has an Injection issue Moderate
CVE-2026-7206 was published for sqlite-mcp (pip) Apr 28, 2026
Dynamic-Datasource has an Injection vulnerability Moderate
CVE-2026-7045 was published for com.baomidou:dynamic-datasource-spring (Maven) Apr 27, 2026
PicoClaw has an Injection issue in its Web Launcher Management Plane component Moderate
CVE-2026-6987 was published for github.com/sipeed/picoclaw (Go) Apr 25, 2026
ShowDoc has an Injection vulnerability Moderate
CVE-2026-6982 was published for showdoc/showdoc (Composer) Apr 25, 2026
i18next-locize-backend has URL Injection via Unsanitized Path Parameters Moderate
CVE-2026-41885 was published for i18next-locize-backend (npm) Apr 22, 2026
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns Moderate
CVE-2026-41691 was published for i18next-http-backend (npm) Apr 22, 2026
AgentScope Vulnerable to Remote Code Injection Moderate
CVE-2026-6603 was published for agentscope (pip) Apr 20, 2026
ROCmertakdag Credited to ROCmertakdag
MetaGPT has an eval injection in metagpt/strategy/tot.py Moderate
CVE-2026-6110 was published for metagpt (pip) Apr 12, 2026
MetaGPT has an Injection issue Moderate
CVE-2026-5970 was published for metagpt (pip) Apr 9, 2026
PowerJob's GroovyEvaluator.evaluate endpoint vulnerable to code injection Moderate
CVE-2026-5739 was published for tech.powerjob:powerjob-server-starter (Maven) Apr 7, 2026
PowerJob vulnerable to SQL injection Moderate
CVE-2026-5736 was published for tech.powerjob:powerjob-server-starter (Maven) Apr 7, 2026
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection') Moderate
CVE-2026-35515 was published for @nestjs/core (npm) Apr 6, 2026
aleister1102 Credited to aleister1102
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows Moderate
CVE-2026-34773 was published for electron (npm) Apr 3, 2026
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest Moderate
CVE-2026-34767 was published for electron (npm) Apr 3, 2026
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass Moderate
CVE-2026-32695 was published for github.com/traefik/traefik/v2 (Go) Mar 27, 2026
b-hermes Credited to b-hermes
ProTip! Advisories are also available from the GraphQL API