Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,398 advisories

Loading
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL High
CVE-2026-45717 was published for @budibase/server (npm) May 15, 2026
komyunghan Credited to komyunghan
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration High
CVE-2026-45715 was published for @budibase/server (npm) May 15, 2026
sajdakabir Credited to sajdakabir
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation High
CVE-2026-45548 was published for @budibase/server (npm) May 15, 2026
morimori-dev Credited to morimori-dev
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation High
CVE-2026-45364 was published for better-auth (npm) May 15, 2026
nexryai Credited to nexryai
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files High
CVE-2026-22810 was published for @joplin/onenote-converter (npm) May 15, 2026
msiemens Credited to msiemens
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj High
CVE-2026-46509 was published for @ranfdev/deepobj (npm) May 14, 2026
0xBassia Credited to 0xBassia
DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool High
CVE-2026-45310 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order High
CVE-2026-45665 was published for open-webui (npm) May 14, 2026
POV9en Credited to POV9en
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution High
CVE-2026-45395 was published for open-webui (npm) May 14, 2026
KadirArslan Credited to KadirArslan
Svelte devalue: DoS via sparse array deserialization High
CVE-2026-42570 was published for devalue (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, dummdidumm, and kq5y dummdidumm dummdidumm
kq5y kq5y
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget High
CVE-2026-45012 was published for apostrophe (npm) May 14, 2026
yigitsengezer Credited to yigitsengezer
Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections High
GHSA-7rx4-c5vx-g8w3 was published for @karakeep/sdk (npm) May 14, 2026
CE2Sec Credited to CE2Sec
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover High
CVE-2026-46480 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover High
CVE-2026-46479 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover High
CVE-2026-46478 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover High
CVE-2026-46477 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover High
CVE-2026-46476 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover High
CVE-2026-46475 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Vector Store No Permission Checks High
CVE-2026-46444 was published for flowise (npm) May 14, 2026
Dimpyj1604 Credited to Dimpyj1604
n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints High
CVE-2026-45732 was published for n8n (npm) May 14, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n Has a Source Control Pull SQL Injection High
CVE-2026-44792 was published for n8n (npm) May 14, 2026
sm1ee Credited to sm1ee
FlowiseAI Vulnerable to Credential Data Leak High
CVE-2026-46443 was published for flowise (npm) May 14, 2026
Dimpyj1604 Credited to Dimpyj1604
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-46441 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database