Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

13,578 advisories

Loading
ImageMagick: Heap Buffer Over-Write in json and yaml encoder of a single byte due to incorrect fix Moderate
GHSA-jqq5-8px3-9m6m was published for Magick.NET-Q16-AnyCPU (NuGet) May 21, 2026
007bsd Credited to 007bsd
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580) Moderate
CVE-2026-46678 was published for pydantic-ai (pip) May 21, 2026
j0hndo Credited to j0hndo
Rust OneNote File Parser: Path traversal in `Parser::parse_notebook` allows reading files outside the notebook directory Moderate
CVE-2026-46671 was published for onenote_parser (Rust) May 21, 2026
SQLAdmin: Authorization Bypass on `ajax_lookup` Moderate
CVE-2026-46645 was published for sqladmin (pip) May 21, 2026
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) Moderate
CVE-2026-46638 was published for twig/twig (Composer) May 21, 2026
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name Moderate
CVE-2026-46634 was published for twig/twig (Composer) May 21, 2026
phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags Moderate
CVE-2026-46365 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization Moderate
CVE-2026-46363 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS Moderate
CVE-2026-46360 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins Moderate
CVE-2026-45008 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check Moderate
CVE-2026-45009 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
@hulumi/baseline: CloudTrail selector tampering events were not fully detected Moderate
GHSA-gfp8-mp24-5vxg was published for @hulumi/baseline (npm) May 21, 2026
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog Moderate
CVE-2026-46609 was published for Umbraco.Cms (NuGet) May 21, 2026
kaushikmbabu Credited to kaushikmbabu
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL Moderate
CVE-2026-46556 was published for flaskbb (pip) May 21, 2026
woohyunchoi-kentech Credited to woohyunchoi-kentech, programsurf, and yoonsh programsurf programsurf
yoonsh yoonsh
NocoDB: Shared-base link access can invite arbitrary users as persistent base members Moderate
CVE-2026-46552 was published for nocodb (npm) May 21, 2026
0xmrma Credited to 0xmrma
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion Moderate
CVE-2026-46551 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags Moderate
CVE-2026-46550 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams) Moderate
CVE-2026-46548 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL Moderate
CVE-2026-46547 was published for nocodb (npm) May 21, 2026
naoyashiga Credited to naoyashiga
Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option Moderate
CVE-2026-23695 was published for cockpit-hq/cockpit (Composer) May 15, 2026
Snappy : SSRF and local file read via the xsl-style-sheet option Moderate
CVE-2026-46683 was published for knplabs/knp-snappy (Composer) May 21, 2026
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables Moderate
CVE-2026-46618 was published for github.com/fission/fission (Go) May 21, 2026
b0b0haha Credited to b0b0haha, j311yl0v3u, and sanketsudake j311yl0v3u j311yl0v3u
sanketsudake sanketsudake
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers Moderate
CVE-2026-46616 was published for Umbraco.Cms (NuGet) May 21, 2026
hwpark6804-gif Credited to hwpark6804-gif
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API Moderate
CVE-2026-46561 was published for pyload-ng (pip) May 21, 2026
offset Credited to offset
nimiq-blockchain: Genesis batch set request Moderate
CVE-2026-46543 was published for nimiq-blockchain (Rust) May 21, 2026
Piravlos Credited to Piravlos
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database