GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
338 advisories
Filter by severity
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Critical
GHSA-qxvg-h7q2-hcxh
was published
for
motioneye
(pip)
Jun 23, 2026
Paymenter vulnerable to Remote Code Execution via public file uploads
Critical
CVE-2025-58048
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
Low
CVE-2026-55778
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Low
CVE-2026-53724
was published
for
parse-server
(npm)
Jun 19, 2026
DotVVM: Unrestricted file upload
Moderate
GHSA-2rm3-333w-xvc4
was published
for
DotVVM
(NuGet)
Jun 19, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
Critical
CVE-2026-48062
was published
for
codeigniter4/framework
(Composer)
Jun 11, 2026
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
Low
CVE-2026-33221
was published
for
github.com/nhost/nhost
(Go)
Mar 18, 2026
Django Filer Unrestricted Upload of File with Dangerous Type
Moderate
CVE-2024-11404
was published
for
django-filer
(pip)
Nov 20, 2024
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Moderate
CVE-2026-42879
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Budibase: Unrestricted Upload of File with Dangerous Type
High
CVE-2026-46426
was published
for
budibase
(npm)
May 19, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
High
CVE-2026-45089
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
Weblate: Remote code execution during backup restoration
High
CVE-2026-33435
was published
for
weblate
(pip)
Apr 16, 2026
Gradio Allows Unauthorized File Copy via Path Manipulation
Moderate
CVE-2025-48889
was published
for
gradio
(pip)
May 29, 2025
UnoPim vulnerable to remote code execution through Arbitrary File upload
High
CVE-2025-55743
was published
for
unopim/unopim
(Composer)
Aug 21, 2025
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
Moderate
CVE-2026-3219
was published
for
pip
(pip)
Apr 20, 2026
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
High
CVE-2026-45315
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
High
CVE-2026-44566
was published
for
open-webui
(pip)
May 8, 2026
Strapi Upload Plugin MIME Validation Bypass via Content API
Moderate
CVE-2026-22707
was published
for
@strapi/upload
(npm)
May 14, 2026
Low-privileged Grav API users can create super-admin accounts via blueprint-upload
High
CVE-2026-42844
was published
for
getgrav/grav
(Composer)
May 6, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
High
CVE-2026-41587
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 29, 2026
OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality
High
CVE-2026-38751
was published
for
devcode-it/openstamanager
(Composer)
May 4, 2026
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
High
CVE-2026-27891
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type
High
CVE-2026-38991
was published
for
cockpit-hq/cockpit
(Composer)
Apr 29, 2026
ProTip!
Advisories are also available from the
GraphQL API