Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,246 advisories

Loading
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation High
CVE-2026-46640 was published for twig/twig (Composer) May 21, 2026
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail Moderate Unreviewed
CVE-2026-42396 was published May 21, 2026
Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client... Critical Unreviewed
CVE-2026-22314 was published May 20, 2026
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the... Critical Unreviewed
CVE-2026-30117 was published May 19, 2026
An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via... High Unreviewed
CVE-2025-51427 was published May 19, 2026
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's... Critical Unreviewed
CVE-2026-2586 was published May 19, 2026
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives... High Unreviewed
CVE-2026-46586 was published May 19, 2026
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of... Moderate Unreviewed
CVE-2026-35086 was published May 19, 2026
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB... Critical Unreviewed
CVE-2026-45829 was published May 18, 2026
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API Moderate
CVE-2026-45719 was published for @budibase/server (npm) May 18, 2026
MerlijnW70 Credited to MerlijnW70
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as... High Unreviewed
CVE-2026-6902 was published May 18, 2026
ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability... Critical Unreviewed
CVE-2018-25320 was published May 17, 2026
python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to... Critical Unreviewed
CVE-2021-47952 was published May 16, 2026
ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote... Moderate Unreviewed
CVE-2025-67031 was published May 15, 2026
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated... High Unreviewed
CVE-2021-47964 was published May 15, 2026
Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x... High Unreviewed
CVE-2026-35194 was published May 15, 2026
Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method... Moderate Unreviewed
CVE-2026-39052 was published May 15, 2026
Crabbox: environment variable exposure vulnerability Critical
CVE-2026-8634 was published for github.com/openclaw/crabbox (Go) May 14, 2026
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a... Moderate Unreviewed
CVE-2026-8539 was published May 14, 2026
Electerm Local code through electerm's single-instance socket Critical
CVE-2026-45353 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files Critical
CVE-2026-45374 was published for deepseek-tui (Rust) May 14, 2026
47Cid Credited to 47Cid
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database