GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,449 advisories
Filter by severity
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter
Critical
CVE-2026-48030
was published
for
pheditor/pheditor
(Composer)
Jun 9, 2026
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Critical
CVE-2026-8467
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
shell-quote quote() does not escape newlines in object .op values
Critical
CVE-2026-9277
was published
for
shell-quote
(npm)
Jun 9, 2026
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
Critical
CVE-2026-47724
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
Critical
CVE-2026-47252
was published
for
github.com/julien040/anyquery/plugins/brave
(Go)
Jun 8, 2026
PHPSpreadsheet has a patch bypass for CVE-2026-34084
Critical
CVE-2026-45034
was published
for
phpoffice/phpspreadsheet
(Composer)
Jun 8, 2026
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
Critical
CVE-2026-47430
was published
for
cordova-plugin-inappbrowser
(npm)
Jun 8, 2026
Shopper: Authorization bypass and RBAC privilege escalation in team settings
Critical
CVE-2026-47744
was published
for
shopper/framework
(Composer)
Jun 5, 2026
NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker)
Critical
CVE-2026-47731
was published
for
ait-core
(pip)
Jun 5, 2026
Authenticated Remote Code Execution via loadReader functionName code injection in DbGate
Critical
CVE-2026-47670
was published
for
dbgate-api
(npm)
Jun 5, 2026
DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE
Critical
CVE-2026-47669
was published
for
dbgate
(npm)
Jun 5, 2026
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Critical
CVE-2026-47668
was published
for
dbgate-serve
(npm)
Jun 5, 2026
MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper
Critical
CVE-2026-47708
was published
for
stata-mcp
(pip)
Jun 4, 2026
Supply chain compromise via malicious @cap-js/openapi
Critical
GHSA-jpvj-wpmj-h7rv
was published
for
@cap-js/openapi
(npm)
Jun 4, 2026
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
Critical
CVE-2026-54458
was published
for
WWBN/AVideo
(Composer)
Jun 4, 2026
Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering
Critical
CVE-2026-44182
was published
for
jupyter_enterprise_gateway
(pip)
Jun 3, 2026
Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execution
Critical
CVE-2026-44181
was published
for
jupyter_enterprise_gateway
(pip)
Jun 3, 2026
Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass
Critical
CVE-2026-44180
was published
for
jupyter_enterprise_gateway
(pip)
Jun 3, 2026
MLflow: Environment variable injection in AI Gateway secrets enables server-side credential exfiltration
Critical
CVE-2026-4035
was published
for
mlflow
(pip)
Jun 3, 2026
OpenMed vulnerable to remote code injection through privacy-filter model loading path
Critical
CVE-2026-47117
was published
for
openmed
(pip)
Jun 2, 2026
praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members
Critical
CVE-2026-47413
was published
for
praisonai-platform
(pip)
Jun 1, 2026
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Critical
CVE-2026-47428
was published
for
@vitest/browser
(npm)
Jun 1, 2026
When Vitest UI server is listening, arbitrary file can be read and executed
Critical
CVE-2026-47429
was published
for
vitest
(npm)
Jun 1, 2026
Apache Airflow vulnerable to Improper Neutralization of Special Elements Used in a Template Engine
Critical
CVE-2026-42252
was published
for
apache-airflow
(pip)
Jun 1, 2026
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
Critical
CVE-2026-47416
was published
for
praisonai-platform
(pip)
May 29, 2026
ProTip!
Advisories are also available from the
GraphQL API