GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,460 advisories
Filter by severity
Casdoor has an authentication bypass
Critical
CVE-2026-9090
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
Casdoor SAML callback handler accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest
Critical
CVE-2026-9098
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
Casdoor doesn't verify that a JWT used for token exchange is still active
Critical
CVE-2026-9097
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
Casdoor does not validate the AudienceRestriction element in SAML assertions
Critical
CVE-2026-9093
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check
Critical
CVE-2026-9094
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
MCP Toolbox for Databases vulnerable to DNS rebinding attacks
Critical
CVE-2026-9739
was published
for
github.com/googleapis/mcp-toolbox
(Go)
May 28, 2026
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection
Critical
CVE-2026-46621
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override
Critical
CVE-2026-46562
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
Langroid has Prompt to SQL Injection, Leading to RCE
Critical
CVE-2026-25879
was published
for
langroid
(pip)
May 27, 2026
LiquidJS is Vulnerable to Remote Code Execution
Critical
CVE-2026-45618
was published
for
liquidjs
(npm)
May 27, 2026
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
Critical
CVE-2026-44632
was published
for
org.yamcs:yamcs-core
(Maven)
May 27, 2026
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Critical
CVE-2026-33137
was published
for
org.xwiki.platform:xwiki-platform-rest-server
(Maven)
May 26, 2026
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Critical
CVE-2026-23734
was published
for
org.xwiki.commons:xwiki-commons-classloader-api
(Maven)
May 26, 2026
KubeVirt has a Link Following vulnerability
Critical
CVE-2026-7374
was published
for
kubevirt.io/kubevirt
(Go)
May 26, 2026
MLflow allows unauthorized access to multipart upload endpoints when the `--serve-artifacts` mode is enabled
Critical
CVE-2026-2651
was published
for
mlflow
(pip)
May 26, 2026
Dolibarr ERP CRM contains a remote code evaluation vulnerability
Critical
CVE-2018-25357
was published
for
dolibarr/dolibarr
(Composer)
May 26, 2026
Apache CXF has an LDAP injection vulnerability
Critical
CVE-2026-44930
was published
for
org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap
(Maven)
May 26, 2026
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
Critical
CVE-2026-46716
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
Critical
CVE-2026-48777
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
May 22, 2026
YesWiki: Unauthenticated SQL Injection
Critical
CVE-2026-46670
was published
for
yeswiki/yeswiki
(Composer)
May 22, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Concrete CMS Vulnerable to Relative Path Traversal
Critical
CVE-2026-8134
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
Twig: PHP code injection via `{% use %}` template name
Critical
CVE-2026-46633
was published
for
twig/twig
(Composer)
May 21, 2026
ProTip!
Advisories are also available from the
GraphQL API