Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

2,553 advisories

Loading
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action... Moderate Unreviewed
CVE-2026-1509 was published Apr 22, 2026
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions Moderate
CVE-2026-41645 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
gnuletik Credited to gnuletik
i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes Moderate
GHSA-6457-mxpq-4fqq was published for i18nextify (npm) Apr 22, 2026
An attacker can send a notify request that causes a new secondary domain to be added to the bind... High Unreviewed
CVE-2026-33608 was published Apr 22, 2026
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the... High Unreviewed
CVE-2026-31018 was published Apr 21, 2026
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where... Critical Unreviewed
CVE-2026-39918 was published Apr 20, 2026
A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function... Moderate Unreviewed
CVE-2026-6652 was published Apr 20, 2026
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file... Critical Unreviewed
CVE-2026-5760 was published Apr 20, 2026
ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env... Moderate Unreviewed
CVE-2026-41282 was published Apr 20, 2026
A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an... Moderate Unreviewed
CVE-2026-6621 was published Apr 20, 2026
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part.... Moderate Unreviewed
CVE-2026-6594 was published Apr 20, 2026
Remote Code Execution (RCE) via String Literal Injection into math-codegen Critical
GHSA-p6x5-p4xf-cc4r was published for math-codegen (npm) Apr 17, 2026
hits3134 Credited to hits3134
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
GHSA-9wc7-mj3f-74xv was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`. High
GHSA-f228-chmx-v6j6 was published for flowise (npm) Apr 16, 2026
LIFE-team2024 Credited to LIFE-team2024
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates Moderate
CVE-2026-40602 was published for homeassistant-cli (pip) Apr 16, 2026
heyitsPiyush Credited to heyitsPiyush and fabaff fabaff fabaff
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Apache Airflow: RCE by race condition in example_xcom dag High
CVE-2025-54550 was published for apache-airflow (pip) Apr 16, 2026
Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance Moderate
GHSA-5vjq-5jmg-39xq was published for renovate (npm) Apr 16, 2026
gzm0 Credited to gzm0 and viceice viceice viceice
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
GHSA-gc9w-cc93-rjv8 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability... Critical Unreviewed
CVE-2026-30993 was published Apr 15, 2026
Kiota: Code Generation Literal Injection High
GHSA-2hx3-vp6r-mg3f was published for kiota (NuGet) Apr 14, 2026
baywet Credited to baywet and gavinbarron gavinbarron gavinbarron
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks Critical
GHSA-gph2-j4c9-vhhr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Expression Injection in OpenRemote Critical
CVE-2026-39842 was published for io.openremote:openremote-manager (Maven) Apr 14, 2026
qxyuan853 Credited to qxyuan853
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database