Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,112
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,417
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,581 advisories

Loading
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override High
CVE-2026-54351 was published for @budibase/server (npm) Jun 22, 2026
offset Credited to offset
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens High
CVE-2026-49229 was published for @actual-app/sync-server (npm) Jun 22, 2026
pyuysig Credited to pyuysig and MatissJanis MatissJanis MatissJanis
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials High
CVE-2026-50137 was published for @budibase/server (npm) Jun 22, 2026
tonghuaroot Credited to tonghuaroot
Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials High
CVE-2026-50136 was published for @budibase/server (npm) Jun 22, 2026
liyander Credited to liyander
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF High
CVE-2026-50132 was published for @budibase/server (npm) Jun 22, 2026
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata High
CVE-2026-48153 was published for @budibase/server (npm) Jun 22, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Lokka: Azure Resource Manager URL path validation issue High
GHSA-g2gw-q38m-vjfc was published for @merill/lokka (npm) Jun 19, 2026
hackchang Credited to hackchang
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing High
GHSA-h5x8-xp6m-x6q4 was published for @jhb.software/payload-cloudinary-plugin (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) High
GHSA-x975-rgx4-5fh4 was published for appium-mcp (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read` High
GHSA-mrvx-jmjw-vggc was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read` High
GHSA-xcqx-9jf5-w339 was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning High
GHSA-2fmp-9rvw-hc96 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover High
CVE-2026-55660 was published for @tinacms/app (npm) Jun 19, 2026
kulesy Credited to kulesy
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels High
CVE-2026-54074 was published for @tinacms/cli (npm) Jun 19, 2026
AnGrY-Althaf Credited to AnGrY-Althaf
flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key High
CVE-2026-55091 was published for flat-to-nested (npm) Jun 19, 2026
moizxsec Credited to moizxsec
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument High
CVE-2026-55849 was published for @cyclonedx/cyclonedx-npm (npm) Jun 19, 2026
fortress07 Credited to fortress07 and jkowalleck jkowalleck jkowalleck
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure) High
GHSA-v52w-28xh-v562 was published for @kozou/api (npm) Jun 19, 2026
jupyterlab-git extension: Stored XSS leading to RCE High
CVE-2026-54527 was published for @jupyterlab/git (npm) Jun 19, 2026
krassowski Credited to krassowski and jtpio jtpio jtpio
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync High
GHSA-vcv2-r9jh-99m5 was published for agentic-flow (npm) Jun 19, 2026
parse-server: Denial of service via exponential-time processing of deeply nested query operators High
GHSA-cgxm-vr2f-6fj8 was published for parse-server (npm) Jun 19, 2026
sajdakabir Credited to sajdakabir and mtrezza mtrezza mtrezza
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
OpenClaw: Workspace-derived service PATH could influence trash command selection High
CVE-2026-53865 was published for openclaw (npm) Jun 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database