GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
157 advisories
Filter by severity
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
Budibase: Unrestricted Upload of File with Dangerous Type
High
CVE-2026-46426
was published
for
budibase
(npm)
May 19, 2026
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
High
CVE-2026-45315
was published
for
open-webui
(pip)
May 14, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
High
CVE-2026-45089
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
High
CVE-2026-44566
was published
for
open-webui
(pip)
May 8, 2026
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
High
CVE-2026-27891
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Low-privileged Grav API users can create super-admin accounts via blueprint-upload
High
CVE-2026-42844
was published
for
getgrav/grav
(Composer)
May 6, 2026
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler
High
GHSA-gxxh-8vcj-w2mh
was published
for
mckenziearts/livewire-markdown-editor
(Composer)
May 4, 2026
OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality
High
CVE-2026-38751
was published
for
devcode-it/openstamanager
(Composer)
May 4, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
High
CVE-2026-41587
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 29, 2026
Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type
High
CVE-2026-38991
was published
for
cockpit-hq/cockpit
(Composer)
Apr 29, 2026
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution
High
CVE-2026-40488
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
Flowise: File Upload Validation Bypass in createAttachment
High
CVE-2026-41269
was published
for
flowise
(npm)
Apr 16, 2026
Weblate: Remote code execution during backup restoration
High
CVE-2026-33435
was published
for
weblate
(pip)
Apr 16, 2026
Note Mark has Stored XSS via Unrestricted Asset Upload
High
CVE-2026-40262
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
High
CVE-2026-41397
was published
for
openclaw
(npm)
Apr 3, 2026
baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)
High
CVE-2025-32957
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
High
CVE-2026-33717
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
High
CVE-2026-33687
was published
for
code16/sharp
(Composer)
Mar 25, 2026
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
High
CVE-2026-33647
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin
High
CVE-2026-32278
was published
for
opensource-workshop/connect-cms
(Composer)
Mar 23, 2026
File Upload(RCE) Vulnerability in admidio
High
CVE-2026-32756
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Flowise has Arbitrary File Upload via MIME Spoofing
High
CVE-2026-30821
was published
for
flowise
(npm)
Mar 6, 2026
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
High
CVE-2026-29186
was published
for
@backstage/plugin-techdocs-node
(npm)
Mar 5, 2026
FUXA contains an Unrestricted File Upload vulnerability
High
CVE-2025-69981
was published
for
fuxa-server
(npm)
Feb 3, 2026
ProTip!
Advisories are also available from the
GraphQL API