Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

462 advisories

Loading
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape High
CVE-2026-44705 was published for tmp (npm) May 27, 2026
Gyde04 Credited to Gyde04 and MaanVader MaanVader MaanVader
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
n8n: Legacy ExecuteWorkflow Node Bypassed File Path Restrictions Moderate
GHSA-2vx9-7wpg-88jq was published for n8n (npm) May 19, 2026
YLChen-007 Credited to YLChen-007
Strapi may leak sensitive data via relational filtering due to lack of query sanitization Critical
CVE-2026-27886 was published for @strapi/strapi (npm) May 14, 2026
WildWestCyberSecurity Credited to WildWestCyberSecurity, innerdvations, derrickmehaffy, nclsndr, and Bassel17 innerdvations innerdvations
derrickmehaffy derrickmehaffy nclsndr nclsndr Bassel17 Bassel17
SillyTavern has a Path Traversal issue Critical
CVE-2026-44650 was published for sillytavern (npm) May 12, 2026
ygboy777-alt Credited to ygboy777-alt, Greg-Kim, S4nso, and Mirr2 Greg-Kim Greg-Kim
S4nso S4nso Mirr2 Mirr2
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` High
CVE-2026-44635 was published for kysely (npm) May 11, 2026
StarPlatinu Credited to StarPlatinu and igalklebanov igalklebanov igalklebanov
Electerm runWidget has a path traversal that leads to arbitrary code execution Critical
CVE-2026-43940 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
fast-uri vulnerable to path traversal via percent-encoded dot segments High
CVE-2026-6321 was published for fast-uri (npm) May 8, 2026
Jvr2022 Credited to Jvr2022, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure High
GHSA-8g7g-hmwm-6rv2 was published for n8n-mcp (npm) May 8, 2026
cybercraftsolutionsllc Credited to cybercraftsolutionsllc
short-video-maker has a path traversal vulnerability Moderate
CVE-2026-8115 was published for short-video-maker (npm) May 8, 2026
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix Moderate
CVE-2026-44437 was published for @angular/ssr (npm) May 6, 2026
kimkou2024 Credited to kimkou2024, alan-agius4, dgp1130, and AndrewKushnir alan-agius4 alan-agius4
dgp1130 dgp1130 AndrewKushnir AndrewKushnir
Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules` Moderate
CVE-2026-44373 was published for nitro (npm) May 6, 2026
mHe4am Credited to mHe4am
Apache Thrift vulnerable to Path Traversal, HTTP Request/Response Splitting, Uncontrolled Resource Consumption High
CVE-2026-43870 was published for thrift (npm) May 5, 2026
@puchunjie/doc-tools-mcp has a Path Traversal Issue Low
CVE-2026-7738 was published for @puchunjie/doc-tools-mcp (npm) May 4, 2026
sublinear-time-solver has a Path Traversal Issue Moderate
CVE-2026-7645 was published for sublinear-time-solver (npm) May 2, 2026
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters High
CVE-2026-42353 was published for i18next-http-middleware (npm) Apr 29, 2026
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image Moderate
GHSA-qp56-gp47-jwj3 was published for openclaw (npm) Apr 28, 2026 withdrawn
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
CVE-2026-42075 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
MCPHub has Path Traversal via Malicious MCPB Manifest Name High
GHSA-p3h2-2j4p-p83g was published for @samanhappy/mcphub (npm) Apr 22, 2026
keyblues Credited to keyblues
i18next-locize-backend has URL Injection via Unsanitized Path Parameters Moderate
CVE-2026-41885 was published for i18next-locize-backend (npm) Apr 22, 2026
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite High
CVE-2026-41693 was published for i18next-fs-backend (npm) Apr 22, 2026
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns Moderate
CVE-2026-41691 was published for i18next-http-backend (npm) Apr 22, 2026
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters High
CVE-2026-41690 was published for i18next-http-middleware (npm) Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database