Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

4,192 advisories

Loading
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators Critical
GHSA-q2f7-m237-v562 was published for @hulumi/policies (npm) May 21, 2026
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger Critical
CVE-2026-46614 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) Critical
CVE-2026-46421 was published for @cap-js/db-service (npm) May 20, 2026
patricebender Credited to patricebender and chgeo chgeo chgeo
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm Critical
CVE-2026-46412 was published for @beproduct/nestjs-auth (npm) May 19, 2026
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft Critical
CVE-2026-46354 was published for github.com/coder/coder (Go) May 19, 2026
bencalif Credited to bencalif
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path Critical
GHSA-g53w-w6mj-hrpp was published for github.com/Kuadrant/mcp-gateway (Go) May 19, 2026
Bhuvanesh66 Credited to Bhuvanesh66
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes Critical
CVE-2026-46339 was published for 9router (npm) May 19, 2026
sondt99 Credited to sondt99
Kopia: RCE via SSH ProxyCommand Injection Critical
CVE-2026-45695 was published for github.com/kopia/kopia (Go) May 19, 2026
berardinellidaniele Credited to berardinellidaniele
Malicious code in guardrails-ai 0.10.1 (supply chain compromise) Critical
CVE-2026-45758 was published for guardrails-ai (pip) May 19, 2026
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
HAXcms: Private Key Disclosure via Broken HMAC Implementation Critical
CVE-2026-46395 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
shreyas-challa Credited to shreyas-challa
Algernon: handler.lua discovery walks parent directories above the server root Critical
CVE-2026-45721 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Malware in @opensearch-project/opensearch Critical
GHSA-27f5-xjrr-q9ff was published for @opensearch-project/opensearch (npm) May 19, 2026
Malicious dropper in mistralai 2.4.6 PyPI package Critical
GHSA-wx9m-wx4f-4cmg was published for mistralai (pip) May 18, 2026
nullcharb Credited to nullcharb
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs Critical
CVE-2026-45625 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Crabbox: environment variable exposure vulnerability Critical
CVE-2026-8634 was published for github.com/openclaw/crabbox (Go) May 14, 2026
vm2 Has a Sandbox Breakout Using Async Generator Critical
CVE-2026-45411 was published for vm2 (npm) May 14, 2026
XmiliaH Credited to XmiliaH
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol Critical
CVE-2026-45369 was published for utcp-cli (pip) May 14, 2026
ZeroXJacks Credited to ZeroXJacks
Marten has an injection vulnerability in its full-text search regConfig parameter Critical
CVE-2026-45288 was published for Marten (NuGet) May 14, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation Critical
GHSA-wf8q-wvv8-p8jf was published for @samanhappy/mcphub (npm) May 14, 2026
ibrahmsql Credited to ibrahmsql
Electerm Local code through electerm's single-instance socket Critical
CVE-2026-45353 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database