Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,628 advisories

Loading
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf` Moderate
CVE-2026-45619 was published for WWBN/AVideo (Composer) May 15, 2026
SnailSploit Credited to SnailSploit
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute Moderate
CVE-2026-45580 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client High
CVE-2026-45575 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
epa4all-client: TLS Certificate Validation Disabled in Production High
CVE-2026-45574 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install` Moderate
CVE-2026-46383 was published for apm-cli (pip) May 15, 2026
0xmrma Credited to 0xmrma
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution Moderate
GHSA-vfvv-c25p-m7mm was published for rkyv (Rust) May 15, 2026
SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion High
CVE-2026-46491 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
kamil-sawicki Credited to kamil-sawicki
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL High
CVE-2026-45717 was published for @budibase/server (npm) May 15, 2026
komyunghan Credited to komyunghan
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration High
CVE-2026-45715 was published for @budibase/server (npm) May 15, 2026
sajdakabir Credited to sajdakabir
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation High
CVE-2026-45548 was published for @budibase/server (npm) May 15, 2026
morimori-dev Credited to morimori-dev
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation High
CVE-2026-45364 was published for better-auth (npm) May 15, 2026
nexryai Credited to nexryai
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE Moderate
GHSA-wxw3-q3m9-c3jr was published for better-auth (npm) May 15, 2026
Jvr2022 Credited to Jvr2022 and alavesa alavesa alavesa
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request High
GHSA-mxg3-432p-mr72 was published for goshs.de/goshs/v2 (Go) May 15, 2026
offset Credited to offset
Weblate: Stored HTML injection in editor search preview Moderate
CVE-2026-45106 was published for weblate (pip) May 15, 2026
adrgs Credited to adrgs and nijel nijel nijel
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator High
CVE-2026-44716 was published for pipecat-ai (pip) May 15, 2026
AAtomical Credited to AAtomical
NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class High
CVE-2026-41147 was published for nukeviet/nukeviet (Composer) May 15, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and johnwalker189 johnwalker189 johnwalker189
nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT High
CVE-2026-40092 was published for nimiq-keys (Rust) May 15, 2026
Piravlos Credited to Piravlos
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files High
CVE-2026-22810 was published for @joplin/onenote-converter (npm) May 15, 2026
msiemens Credited to msiemens
SimpleSAMLphp casserver: Open Redirect in logout Moderate
CVE-2025-65954 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
pradtke Credited to pradtke
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database