Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,950 advisories

Loading
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration High
CVE-2026-45716 was published for @budibase/worker (npm) May 18, 2026
offset Credited to offset
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete High
CVE-2026-45707 was published for n8n-mcp (npm) May 18, 2026
u-ktdi Credited to u-ktdi
multiparty vulnerable to ReDoS via filename parsing High
CVE-2026-8159 was published for multiparty (npm) May 18, 2026
aszx87410 Credited to aszx87410, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing High
CVE-2026-8162 was published for multiparty (npm) May 18, 2026
ByamB4 Credited to ByamB4, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception High
CVE-2026-8161 was published for multiparty (npm) May 18, 2026
Ser0n-ath Credited to Ser0n-ath, bjohansebas, kq5y, ByamB4, blakeembrey, ljharb, and UlisesGascon bjohansebas bjohansebas
kq5y kq5y ByamB4 ByamB4 blakeembrey blakeembrey ljharb ljharb UlisesGascon UlisesGascon
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection High
CVE-2026-45327 was published for github.com/DatanoiseTV/tinyice (Go) May 18, 2026
@tmlmobilidade/utils has prototype pollution in its setValueAtPath High
CVE-2026-45325 was published for @tmlmobilidade/utils (npm) May 18, 2026
0xBassia Credited to 0xBassia
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names High
CVE-2026-45302 was published for parse-nested-form-data (npm) May 18, 2026
0xBassia Credited to 0xBassia
async-http-client: Cookie header not stripped on cross-origin redirect High
CVE-2026-45300 was published for org.asynchttpclient:async-http-client (Maven) May 18, 2026
tndud042713 Credited to tndud042713
Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy) High
CVE-2026-45298 was published for github.com/amir20/dozzle (Go) May 18, 2026
shopper/framework: Authorization bypass in multiple Livewire admin components High
GHSA-f946-9qp6-vgch was published for shopper/framework (Composer) May 18, 2026
baradika Credited to baradika
iskorotkov/avro: CPU Exhaustion in Decoder High
CVE-2026-46385 was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule High
CVE-2026-45270 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
iskorotkov/avro: Integer Overflow in Decoder High
CVE-2026-46384 was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges High
GHSA-j5rm-v3vh-vx94 was published for edumfa (pip) May 18, 2026
eduMFA: Incorrect InnoDB snapshot isolation possibly allows token reusage High
GHSA-qq2p-4282-cfc5 was published for edumfa (pip) May 18, 2026
Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover High
CVE-2026-45627 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files High
CVE-2026-45135 was published for github.com/caddyserver/caddy/v2 (Go) May 18, 2026
dunglas Credited to dunglas, KC1zs4, and chenjj KC1zs4 KC1zs4
chenjj chenjj
Spring AI MCP Security: Unvalidated URL Fetching (SSRF) High
CVE-2026-45609 was published for org.springaicommunity:mcp-client-security (Maven) May 18, 2026
srikanthramu Credited to srikanthramu
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys High
CVE-2026-46510 was published for form-data-objectizer (npm) May 18, 2026
0xBassia Credited to 0xBassia
Graphite Has a Pickle Deserialization Vulnerability High
GHSA-qw48-84f6-28gv was published for graphitedb (pip) May 18, 2026
mkh-user Credited to mkh-user
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree High
CVE-2026-45539 was published for apm (pip) May 18, 2026
thesmartshadow Credited to thesmartshadow
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder High
GHSA-mx64-mj3q-7prj was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database