GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,210 advisories
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection
Critical
CVE-2026-46621
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override
Critical
CVE-2026-46562
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
Langroid has Prompt to SQL Injection, Leading to RCE
Critical
CVE-2026-25879
was published
for
langroid
(pip)
May 27, 2026
LiquidJS is Vulnerable to Remote Code Execution
Critical
CVE-2026-45618
was published
for
liquidjs
(npm)
May 27, 2026
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
Critical
CVE-2026-44632
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Critical
CVE-2026-33137
was published
for
org.xwiki.platform:xwiki-platform-rest-server
(Maven)
May 26, 2026
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Critical
CVE-2026-23734
was published
for
org.xwiki.commons:xwiki-commons-classloader-api
(Maven)
May 26, 2026
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
Critical
GHSA-qqqm-5547-774x
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
May 22, 2026
YesWiki: Unauthenticated SQL Injection
Critical
CVE-2026-46670
was published
for
yeswiki/yeswiki
(Composer)
May 22, 2026
Apache Camel has an incomplete fix for CVE-2025-27636
Critical
CVE-2026-40453
was published
for
org.apache.camel:camel-coap
(Maven)
Apr 27, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
Critical
CVE-2026-46614
was published
for
github.com/fission/fission
(Go)
May 21, 2026
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Critical
CVE-2026-44990
was published
for
sanitize-html
(npm)
May 14, 2026
ProTip!
Advisories are also available from the
GraphQL API