Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step Critical
CVE-2026-35216 was published for @budibase/server (npm) Apr 4, 2026
da7om85 Credited to da7om85
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow Moderate
GHSA-6p2j-742g-835f was published for Tiryoh/actions-mkdocs (GitHub Actions) Apr 4, 2026
choseogyeong Credited to choseogyeong
DynFuture Drop Can Construct a Dangling Reference Moderate
GHSA-j3w3-p6mr-3hrh was published for dyn-future (Rust) Apr 4, 2026
scaly: Multiple soundness issues in Rust safe APIs High
GHSA-2c6h-4899-wjxr was published for scaly (Rust) Apr 4, 2026
@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url High
CVE-2026-35394 was published for @mobilenext/mobile-mcp (npm) Apr 4, 2026
manthanghasadiya Credited to manthanghasadiya
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags High
GHSA-5jg4-p4qw-cgfr was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding High
GHSA-w48f-fwg7-ww6p was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing High
CVE-2026-35213 was published for @hapi/content (npm) Apr 4, 2026
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter High
CVE-2026-35187 was published for pyload-ng (pip) Apr 4, 2026
morimori-dev Credited to morimori-dev
Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers High
GHSA-2m67-wjpj-xhg9 was published for tools.jackson.core:jackson-core (Maven) Apr 4, 2026
anyzy2003 Credited to anyzy2003
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php Moderate
CVE-2026-35181 was published for wwbn/avideo (Composer) Apr 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Hugo: Certain markdown links are not properly escaped Moderate
CVE-2026-35166 was published for github.com/gohugoio/hugo (Go) Apr 3, 2026
cataliniovita Credited to cataliniovita
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php Moderate
CVE-2026-35179 was published for wwbn/avideo (Composer) Apr 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation High
CVE-2026-35044 was published for bentoml (pip) Apr 3, 2026
offset Credited to offset
BentoML: Command Injection in cloud deployment setup script High
CVE-2026-35043 was published for bentoml (pip) Apr 3, 2026
kodareef5 Credited to kodareef5
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
LiteLLM: Authentication bypass via OIDC userinfo cache key collision Critical
CVE-2026-35030 was published for litellm (pip) Apr 3, 2026
veria-labs Credited to veria-labs
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint High
CVE-2026-35029 was published for litellm (pip) Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Critical
CVE-2026-35471 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals High
CVE-2026-35470 was published for devcode-it/openstamanager (Composer) Apr 3, 2026
ormzro Credited to ormzro
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service High
CVE-2026-34824 was published for mesop (pip) Apr 3, 2026
tubadeligoz Credited to tubadeligoz
Budibase: Command Injection in Bash Automation Step High
CVE-2026-25044 was published for @budibase/server (npm) Apr 3, 2026
omkarparth Credited to omkarparth
Electron: Use-after-free in offscreen shared texture release() callback Low
CVE-2026-34764 was published for electron (npm) Apr 3, 2026
daffainfo Credited to daffainfo
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database