Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

976 advisories

Loading
Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified. Unknown Unreviewed
CVE-2026-8704 was published May 16, 2026
Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using... Unknown Unreviewed
CVE-2026-8700 was published May 16, 2026
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute Moderate
CVE-2026-45580 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated... Unknown Unreviewed
CVE-2026-46474 was published May 15, 2026
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL High
CVE-2026-45717 was published for @budibase/server (npm) May 15, 2026
komyunghan Credited to komyunghan
Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. ... Moderate Unreviewed
CVE-2026-8503 was published May 15, 2026
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls High
CVE-2026-45398 was published for open-webui (pip) May 14, 2026
tenbbughunters Credited to tenbbughunters, johnatzeropath, and LeftenantZero johnatzeropath johnatzeropath
LeftenantZero LeftenantZero
Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections High
GHSA-7rx4-c5vx-g8w3 was published for @karakeep/sdk (npm) May 14, 2026
CE2Sec Credited to CE2Sec
Absinthe: Quadratic fragment-name uniqueness check High
CVE-2026-43967 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor High
CVE-2026-45033 was published for @github/copilot (npm) May 11, 2026
n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure High
GHSA-8g7g-hmwm-6rv2 was published for n8n-mcp (npm) May 8, 2026
cybercraftsolutionsllc Credited to cybercraftsolutionsllc
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering Moderate
GHSA-pqh6-8fxf-jx22 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
Doodi101 Credited to Doodi101
wger: trainer_login open redirect - ?next= parameter not validated against host Moderate
GHSA-vqv8-j3mj-wjxj was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
wger: CSV/TSV formula injection in gym member export (first_name/last_name) High
GHSA-xq9m-hmp9-fw87 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
Axios: Header Injection via Prototype Pollution High
CVE-2026-42035 was published for axios (npm) May 5, 2026
raulvdv Credited to raulvdv
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database