Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

367 advisories

Loading
compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal High
CVE-2026-45725 was published for compliance-trestle (pip) May 27, 2026
AnistoMejin Credited to AnistoMejin and yantongggg yantongggg yantongggg
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64`... High Unreviewed
CVE-2026-48920 was published May 27, 2026
The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in... Moderate Unreviewed
CVE-2025-0898 was published May 27, 2026
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file... Critical Unreviewed
CVE-2026-8450 was published May 27, 2026
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the... Critical Unreviewed
CVE-2026-47357 was published May 19, 2026
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL... Critical Unreviewed
CVE-2026-47358 was published May 19, 2026
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper... High Unreviewed
CVE-2026-29962 was published May 18, 2026
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations Moderate
CVE-2026-45139 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
offset Credited to offset
phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins Moderate
CVE-2026-45008 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install` Moderate
CVE-2026-46383 was published for apm-cli (pip) May 15, 2026
0xmrma Credited to 0xmrma
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-3892 was published May 14, 2026
External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal... High Unreviewed
CVE-2026-30905 was published May 13, 2026
An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500... Moderate Unreviewed
CVE-2026-0259 was published May 13, 2026
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized... High Unreviewed
CVE-2026-41107 was published May 12, 2026
External control of file name or path in Microsoft Office Word allows an unauthorized attacker to... Moderate Unreviewed
CVE-2026-40421 was published May 12, 2026
External control of file name or path in Windows Ancillary Function Driver for WinSock allows an... High Unreviewed
CVE-2026-41088 was published May 12, 2026
External control of file name or path in SQL Server allows an authorized attacker to execute code... High Unreviewed
CVE-2026-40370 was published May 12, 2026
External control of file name or path in Azure Monitor Agent allows an authorized attacker to... High Unreviewed
CVE-2026-32204 was published May 12, 2026
External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote... Critical Unreviewed
CVE-2026-8043 was published May 12, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` High
CVE-2026-45088 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
Streamlink has an arbitrary local file read via file:// URI in HLS and DASH Moderate
CVE-2026-44353 was published for streamlink (pip) May 11, 2026
4tkD0g Credited to 4tkD0g and bastimeyer bastimeyer bastimeyer
SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal... High Unreviewed
CVE-2026-44127 was published May 8, 2026
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database