GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
338 advisories
Filter by severity
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Critical
GHSA-qxvg-h7q2-hcxh
was published
for
motioneye
(pip)
Jun 23, 2026
Paymenter vulnerable to Remote Code Execution via public file uploads
Critical
CVE-2025-58048
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
Low
CVE-2026-55778
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Low
CVE-2026-53724
was published
for
parse-server
(npm)
Jun 19, 2026
DotVVM: Unrestricted file upload
Moderate
GHSA-2rm3-333w-xvc4
was published
for
DotVVM
(NuGet)
Jun 19, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
Critical
CVE-2026-48062
was published
for
codeigniter4/framework
(Composer)
Jun 11, 2026
Budibase: Unrestricted Upload of File with Dangerous Type
High
CVE-2026-46426
was published
for
budibase
(npm)
May 19, 2026
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
High
CVE-2026-45315
was published
for
open-webui
(pip)
May 14, 2026
Strapi Upload Plugin MIME Validation Bypass via Content API
Moderate
CVE-2026-22707
was published
for
@strapi/upload
(npm)
May 14, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
High
CVE-2026-45089
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
High
CVE-2026-44566
was published
for
open-webui
(pip)
May 8, 2026
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Moderate
CVE-2026-42879
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
High
CVE-2026-27891
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Low-privileged Grav API users can create super-admin accounts via blueprint-upload
High
CVE-2026-42844
was published
for
getgrav/grav
(Composer)
May 6, 2026
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler
High
GHSA-gxxh-8vcj-w2mh
was published
for
mckenziearts/livewire-markdown-editor
(Composer)
May 4, 2026
OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality
High
CVE-2026-38751
was published
for
devcode-it/openstamanager
(Composer)
May 4, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
High
CVE-2026-41587
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 29, 2026
Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type
High
CVE-2026-38991
was published
for
cockpit-hq/cockpit
(Composer)
Apr 29, 2026
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution
High
CVE-2026-40488
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
Moderate
CVE-2026-3219
was published
for
pip
(pip)
Apr 20, 2026
Flowise: File Upload Validation Bypass in createAttachment
High
CVE-2026-41269
was published
for
flowise
(npm)
Apr 16, 2026
Weblate: Remote code execution during backup restoration
High
CVE-2026-33435
was published
for
weblate
(pip)
Apr 16, 2026
Note Mark has Stored XSS via Unrestricted Asset Upload
High
CVE-2026-40262
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
ProTip!
Advisories are also available from the
GraphQL API