Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

330 advisories

Loading
Budibase: Unrestricted Upload of File with Dangerous Type High
CVE-2026-46426 was published for budibase (npm) May 19, 2026
da7om85 Credited to da7om85
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Strapi Upload Plugin MIME Validation Bypass via Content API Moderate
CVE-2026-22707 was published for @strapi/upload (npm) May 14, 2026
kaminuma Credited to kaminuma and arkmarta arkmarta arkmarta
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal High
CVE-2026-44566 was published for open-webui (pip) May 8, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images Moderate
CVE-2026-42879 was published for facturascripts/facturascripts (Composer) May 7, 2026
guzrex Credited to guzrex
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism High
CVE-2026-27891 was published for facturascripts/facturascripts (Composer) May 7, 2026
ZeroXJacks Credited to ZeroXJacks
Low-privileged Grav API users can create super-admin accounts via blueprint-upload High
CVE-2026-42844 was published for getgrav/grav (Composer) May 6, 2026
0d000721999 Credited to 0d000721999
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler High
GHSA-gxxh-8vcj-w2mh was published for mckenziearts/livewire-markdown-editor (Composer) May 4, 2026
OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality High
CVE-2026-38751 was published for devcode-it/openstamanager (Composer) May 4, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution High
CVE-2026-41587 was published for ci4-cms-erp/ci4ms (Composer) Apr 29, 2026
dapickle Credited to dapickle
Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type High
CVE-2026-38991 was published for cockpit-hq/cockpit (Composer) Apr 29, 2026
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution High
CVE-2026-40488 was published for openmage/magento-lts (Composer) Apr 21, 2026
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files Moderate
CVE-2026-3219 was published for pip (pip) Apr 20, 2026
amine-malloul-gira Credited to amine-malloul-gira and tsokalski tsokalski tsokalski
Flowise: File Upload Validation Bypass in createAttachment High
CVE-2026-41269 was published for flowise (npm) Apr 16, 2026
quirmz Credited to quirmz
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Note Mark has Stored XSS via Unrestricted Asset Upload High
CVE-2026-40262 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload Moderate
GHSA-69hx-63pv-f8f4 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk Moderate
CVE-2026-41408 was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal High
CVE-2026-41397 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
c2cciutils affected by CVE-2022-40896 Moderate
GHSA-qc22-xmq4-qg46 was published for c2cciutils (pip) Apr 1, 2026
baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE) High
CVE-2025-32957 was published for baserproject/basercms (Composer) Mar 31, 2026
MinhhhCuonggg Credited to MinhhhCuonggg and Vatvo69 Vatvo69 Vatvo69
Go Images vulnerable to an out-of-memory error via a crafted TIFF file Moderate
CVE-2026-33809 was published for golang.org/x/image (Go) Mar 25, 2026
ZephrFish Credited to ZephrFish
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL High
CVE-2026-33717 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules High
CVE-2026-33687 was published for code16/sharp (Composer) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database