Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

31 advisories

Loading
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
GHSA-qqqm-5547-774x was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString High
GHSA-24c8-4792-22hx was published for scriban (NuGet) May 19, 2026
fg0x0 Credited to fg0x0
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
n8n-mcp webhook and API client paths has an authenticated SSRF High
CVE-2026-44694 was published for n8n-mcp (npm) May 8, 2026
fg0x0 Credited to fg0x0
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates Moderate
GHSA-vrqv-52x7-rm4v was published for kimai/kimai (Composer) May 6, 2026
fg0x0 Credited to fg0x0
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url Moderate
CVE-2026-41654 was published for weblate (pip) Apr 30, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
wlc: print_html outputs API data without HTML escaping Moderate
CVE-2026-42150 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41203 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41202 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code Moderate
CVE-2026-41206 was published for pyspector (pip) Apr 16, 2026
fg0x0 Credited to fg0x0
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Moderate
CVE-2026-5774 was published for github.com/juju/juju (Go) Apr 10, 2026
fg0x0 Credited to fg0x0, wallyworld, and tlm wallyworld wallyworld
tlm tlm
Vite: `server.fs.deny` bypassed with queries High
CVE-2026-39364 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, ritikchaddha, neo-ai-engineer, instantraaamen, fg0x0, jonathanwd, kq5y, and bluwy ritikchaddha ritikchaddha
neo-ai-engineer neo-ai-engineer instantraaamen instantraaamen fg0x0 fg0x0 jonathanwd jonathanwd kq5y kq5y bluwy bluwy
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) High
CVE-2026-34605 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
fg0x0 Credited to fg0x0
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash High
CVE-2026-34593 was published for ash (Erlang) Apr 1, 2026
fg0x0 Credited to fg0x0 and zachdaniel zachdaniel zachdaniel
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php Low
CVE-2026-33296 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php High
CVE-2026-33295 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo has Unauthenticated PGP Message Decryption via Public Endpoint Moderate
GHSA-5x2w-37xf-7962 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
File Browser Signup Grants Admin When Default Permissions Include Admin Critical
CVE-2026-32760 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely Moderate
CVE-2026-32759 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes Moderate
CVE-2026-32750 was published for github.com/siyuan-note/siyuan (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write High
CVE-2026-32749 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets Moderate
CVE-2026-32747 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database