GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,266 advisories
LiquidJS is Vulnerable to Remote Code Execution
Critical
CVE-2026-45618
was published
for
liquidjs
(npm)
May 27, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Critical
CVE-2026-44990
was published
for
sanitize-html
(npm)
May 14, 2026
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Critical
CVE-2026-27886
was published
for
@strapi/strapi
(npm)
May 14, 2026
electerm allows unauthorized users to execute arbitrary commands
Critical
CVE-2020-23256
was published
for
electerm
(npm)
Jan 20, 2023
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Critical
CVE-2026-42074
was published
for
openclaude
(npm)
May 12, 2026
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
Critical
CVE-2026-46421
was published
for
@cap-js/db-service
(npm)
May 20, 2026
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
Critical
CVE-2026-46339
was published
for
9router
(npm)
May 19, 2026
WebdriverIO BrowserStack Service has a Command Injection issue
Critical
CVE-2026-25244
was published
for
@wdio/browserstack-service
(npm)
May 11, 2026
HAXcms: Private Key Disclosure via Broken HMAC Implementation
Critical
CVE-2026-46395
was published
for
@haxtheweb/haxcms-nodejs
(npm)
May 19, 2026
Strapi Vulnerable to SQL Injection in Content Type Builder
Critical
CVE-2026-22599
was published
for
@strapi/content-type-builder
(npm)
May 13, 2026
vm2 Has a Sandbox Breakout Using Async Generator
Critical
CVE-2026-45411
was published
for
vm2
(npm)
May 14, 2026
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Critical
CVE-2026-46442
was published
for
flowise
(npm)
May 14, 2026
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
Critical
CVE-2026-42281
was published
for
magicmirror
(npm)
May 5, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Critical
GHSA-wf8q-wvv8-p8jf
was published
for
@samanhappy/mcphub
(npm)
May 14, 2026
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
Critical
CVE-2026-44351
was published
for
fast-jwt
(npm)
May 6, 2026
vm2 has Sandbox Breakout Through Null Proto Exception
Critical
CVE-2026-44009
was published
for
vm2
(npm)
May 8, 2026
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
Critical
CVE-2026-44008
was published
for
vm2
(npm)
May 8, 2026
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Critical
CVE-2026-44007
was published
for
vm2
(npm)
May 7, 2026
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Critical
CVE-2026-43999
was published
for
vm2
(npm)
May 7, 2026
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
Critical
CVE-2026-44005
was published
for
vm2
(npm)
May 7, 2026
ProTip!
Advisories are also available from the
GraphQL API