GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,265 advisories
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
Critical
CVE-2026-46421
was published
for
@cap-js/db-service
(npm)
May 20, 2026
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
Critical
CVE-2026-46339
was published
for
9router
(npm)
May 19, 2026
HAXcms: Private Key Disclosure via Broken HMAC Implementation
Critical
CVE-2026-46395
was published
for
@haxtheweb/haxcms-nodejs
(npm)
May 19, 2026
vm2 Has a Sandbox Breakout Using Async Generator
Critical
CVE-2026-45411
was published
for
vm2
(npm)
May 14, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Critical
GHSA-wf8q-wvv8-p8jf
was published
for
@samanhappy/mcphub
(npm)
May 14, 2026
Electerm Local code through electerm's single-instance socket
Critical
CVE-2026-45353
was published
for
electerm
(npm)
May 14, 2026
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval
Critical
CVE-2026-45311
was published
for
deepseek-tui
(npm)
May 14, 2026
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark
Critical
CVE-2026-45058
was published
for
electerm
(npm)
May 14, 2026
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Critical
CVE-2026-44990
was published
for
sanitize-html
(npm)
May 14, 2026
n8n Has an XML Node Prototype Pollution Patch Bypass
Critical
CVE-2026-44791
was published
for
n8n
(npm)
May 14, 2026
n8n Has an Arbitrary File Read via Git Node
Critical
CVE-2026-44790
was published
for
n8n
(npm)
May 14, 2026
n8n: HTTP Request Node Pagination Prototype Pollution to RCE
Critical
CVE-2026-44789
was published
for
n8n
(npm)
May 14, 2026
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Critical
CVE-2026-46442
was published
for
flowise
(npm)
May 14, 2026
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Critical
CVE-2026-27886
was published
for
@strapi/strapi
(npm)
May 14, 2026
Strapi Vulnerable to SQL Injection in Content Type Builder
Critical
CVE-2026-22599
was published
for
@strapi/content-type-builder
(npm)
May 13, 2026
SillyTavern has a Path Traversal issue
Critical
CVE-2026-44650
was published
for
sillytavern
(npm)
May 12, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Critical
CVE-2026-42074
was published
for
openclaude
(npm)
May 12, 2026
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
Critical
CVE-2026-45091
was published
for
io.github.davidalmeidac:sealed-env-core
(Maven)
May 12, 2026
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Critical
CVE-2026-45321
was published
for
@tanstack/arktype-adapter
(npm)
May 12, 2026
ProTip!
Advisories are also available from the
GraphQL API