GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
10 advisories
Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
Critical
CVE-2026-40281
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
Apr 30, 2026
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
Critical
CVE-2026-40280
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
Apr 30, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
High
CVE-2026-41143
was published
for
yeswiki/yeswiki
(Composer)
Apr 18, 2026
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
Moderate
CVE-2026-40301
was published
for
rhukster/dom-sanitizer
(Composer)
Apr 10, 2026
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
Moderate
CVE-2026-35588
was published
for
glances
(pip)
Apr 21, 2026
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler
Low
GHSA-3jp4-mhh4-gcgr
was published
for
kimai/kimai
(Composer)
Apr 14, 2026
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
High
CVE-2026-35187
was published
for
pyload-ng
(pip)
Apr 4, 2026
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation
High
GHSA-jfwg-rxf3-p7r9
was published
for
github.com/authorizerdev/authorizer
(Go)
Apr 6, 2026
Nautobot: Management of users via REST API does not apply configured password validators
Low
CVE-2026-34203
was published
for
nautobot
(pip)
Mar 31, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Moderate
CVE-2026-33628
was published
for
invoiceninja/invoiceninja
(Composer)
Mar 24, 2026
ProTip!
Advisories are also available from the
GraphQL API