GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,449 advisories
Filter by severity
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass
Critical
GHSA-4mpj-78p6-rj59
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Duplicate Advisory: PickleScan's pkgutil.resolve_name has a universal blocklist bypass
Critical
GHSA-82fg-2r99-h7v6
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Duplicate Advisory: Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
Critical
GHSA-5rph-q42j-36j9
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs
Critical
GHSA-6v84-v468-3c7f
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Duplicate Advisory: Picklescan does not block ctypes
Critical
GHSA-7f79-rvx6-vxc4
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing
Critical
GHSA-rmpp-8wf5-xx5q
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory
Critical
CVE-2026-50203
was published
for
apache-airflow-providers-sftp
(pip)
Jun 17, 2026
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Critical
CVE-2026-32966
was published
for
org.apache.dolphinscheduler:dolphinscheduler-api
(Maven)
Jun 17, 2026
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Critical
CVE-2026-32967
was published
for
org.apache.dolphinscheduler:dolphinscheduler-api
(Maven)
Jun 17, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Critical
CVE-2026-49980
was published
for
github.com/rclone/rclone
(Go)
Jun 16, 2026
LiteLLM: Authentication Bypass via Host Header Injection
Critical
CVE-2026-49468
was published
for
litellm
(pip)
Jun 16, 2026
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Critical
CVE-2026-54157
was published
for
@lobehub/lobehub
(npm)
Jun 16, 2026
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Critical
CVE-2026-56266
was published
for
crawl4ai
(pip)
Jun 16, 2026
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Critical
CVE-2026-53753
was published
for
crawl4ai
(pip)
Jun 16, 2026
Langflow: Unauthenticated RCE in Shareable Playgrounds
Critical
CVE-2026-48519
was published
for
langflow
(pip)
Jun 16, 2026
Remotion: arbitrary file write vulnerability
Critical
CVE-2026-30121
was published
for
remotion
(npm)
Jun 15, 2026
Remotion: remote code execution (RCE) vulnerability
Critical
CVE-2026-30120
was published
for
remotion
(npm)
Jun 15, 2026
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
Critical
CVE-2026-54257
was published
for
electron
(npm)
Jun 15, 2026
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
Critical
CVE-2026-53633
was published
for
@vitest/browser
(npm)
Jun 15, 2026
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Critical
CVE-2026-48150
was published
for
@budibase/server
(npm)
Jun 12, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
Critical
CVE-2026-48062
was published
for
codeigniter4/framework
(Composer)
Jun 11, 2026
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
Critical
CVE-2026-48039
was published
for
meta-ads-mcp
(pip)
Jun 11, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
Critical
CVE-2026-48031
was published
for
github.com/dhax/go-base
(Go)
Jun 10, 2026
ProTip!
Advisories are also available from the
GraphQL API