Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,196 advisories

Loading
@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects Moderate
CVE-2026-44979 was published for @hapi/wreck (npm) May 27, 2026
gasbugs Credited to gasbugs
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` Moderate
CVE-2026-44646 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body Moderate
CVE-2026-44645 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS Moderate
CVE-2026-44644 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS Moderate
CVE-2026-26028 was published for cryptpad (npm) May 26, 2026
ixSly Credited to ixSly
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers Moderate
CVE-2026-39964 was published for @typebot.io/js (npm) May 26, 2026
morimori-dev Credited to morimori-dev
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set Moderate
CVE-2026-8723 was published for qs (npm) May 22, 2026
joannalange Credited to joannalange and ljharb ljharb ljharb
@hulumi/baseline: CloudTrail selector tampering events were not fully detected Moderate
GHSA-gfp8-mp24-5vxg was published for @hulumi/baseline (npm) May 21, 2026
NocoDB: Shared-base link access can invite arbitrary users as persistent base members Moderate
CVE-2026-46552 was published for nocodb (npm) May 21, 2026
0xmrma Credited to 0xmrma
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion Moderate
CVE-2026-46551 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags Moderate
CVE-2026-46550 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams) Moderate
CVE-2026-46548 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL Moderate
CVE-2026-46547 was published for nocodb (npm) May 21, 2026
naoyashiga Credited to naoyashiga
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects Moderate
CVE-2026-34043 was published for serialize-javascript (npm) Mar 27, 2026
TomerAberbach Credited to TomerAberbach and sealonohana sealonohana sealonohana
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided Moderate
CVE-2026-41907 was published for uuid (npm) Apr 22, 2026
0xStraw-Hat Credited to 0xStraw-Hat, frattaro, julianladisch, uniabis, c-harding, milenkotomic, jwasnoggin, and mhassan1 frattaro frattaro
julianladisch julianladisch uniabis uniabis c-harding c-harding milenkotomic milenkotomic jwasnoggin jwasnoggin mhassan1 mhassan1
@sveltejs/kit: `query.batch` cross-talk Moderate
GHSA-hgv7-v322-mmgr was published for @sveltejs/kit (npm) May 21, 2026
rafabd1 Credited to rafabd1, elliott-with-the-longest-name-on-github, and dummdidumm elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
dummdidumm dummdidumm
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool Moderate
CVE-2026-41686 was published for @anthropic-ai/sdk (npm) Apr 29, 2026
gn00295120 Credited to gn00295120
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification Moderate
GHSA-59fh-9f3p-7m39 was published for flowise (npm) May 20, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage Moderate
GHSA-m837-xvxr-vqwg was published for flowise (npm) May 20, 2026
DeathsPirate Credited to DeathsPirate
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Moderate
CVE-2026-40175 was published for axios (npm) Apr 10, 2026
raulvdv Credited to raulvdv, SwTan98, Wenxin-Jiang, jasonsaayman, and ylemkimon SwTan98 SwTan98
Wenxin-Jiang Wenxin-Jiang jasonsaayman jasonsaayman ylemkimon ylemkimon
HAX CMS: Denial of Service using Malicious Import Request Moderate
CVE-2026-46357 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
silentrex04 Credited to silentrex04
Trubo: Login callback CSRF/session fixation Moderate
CVE-2026-45773 was published for turbo (npm) May 19, 2026
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching Moderate
CVE-2026-46341 was published for @apify/actors-mcp-server (npm) May 19, 2026
yotampe-pluto Credited to yotampe-pluto
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour Moderate
CVE-2026-46424 was published for @budibase/backend-core (npm) May 19, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database