Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,460 advisories

Loading
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
cookesan Credited to cookesan
Casdoor has an authentication bypass Critical
CVE-2026-9090 was published for github.com/casdoor/casdoor (Go) May 28, 2026
Casdoor doesn't verify that a JWT used for token exchange is still active Critical
CVE-2026-9097 was published for github.com/casdoor/casdoor (Go) May 28, 2026
Casdoor does not validate the AudienceRestriction element in SAML assertions Critical
CVE-2026-9093 was published for github.com/casdoor/casdoor (Go) May 28, 2026
Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check Critical
CVE-2026-9094 was published for github.com/casdoor/casdoor (Go) May 28, 2026
MCP Toolbox for Databases vulnerable to DNS rebinding attacks Critical
CVE-2026-9739 was published for github.com/googleapis/mcp-toolbox (Go) May 28, 2026
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection Critical
CVE-2026-46621 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override Critical
CVE-2026-46562 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
2BCEB1 Credited to 2BCEB1
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
LiquidJS is Vulnerable to Remote Code Execution Critical
CVE-2026-45618 was published for liquidjs (npm) May 27, 2026
c0rydoras Credited to c0rydoras
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory` Critical
CVE-2026-44632 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} Critical
CVE-2026-33137 was published for org.xwiki.platform:xwiki-platform-rest-server (Maven) May 26, 2026
odgrso Credited to odgrso
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash Critical
CVE-2026-23734 was published for org.xwiki.commons:xwiki-commons-classloader-api (Maven) May 26, 2026
majkelstick Credited to majkelstick
KubeVirt has a Link Following vulnerability Critical
CVE-2026-7374 was published for kubevirt.io/kubevirt (Go) May 26, 2026
Dolibarr ERP CRM contains a remote code evaluation vulnerability Critical
CVE-2018-25357 was published for dolibarr/dolibarr (Composer) May 26, 2026
Apache CXF has an LDAP injection vulnerability Critical
CVE-2026-44930 was published for org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap (Maven) May 26, 2026
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron Critical
CVE-2026-46716 was published for github.com/nezhahq/nezha (Go) May 23, 2026
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
CVE-2026-48777 was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam, keenanwgn, and A7um keenanwgn keenanwgn
A7um A7um
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam, keenanwgn, and A7um keenanwgn keenanwgn
A7um A7um
Concrete CMS Vulnerable to Relative Path Traversal Critical
CVE-2026-8134 was published for concrete5/concrete5 (Composer) May 21, 2026
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
ProTip! Advisories are also available from the GraphQL API