GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
39 advisories
Filter by severity
OpenStack Mistral allows Arbitrary Remote Code Execution when the API is exposed
Critical
CVE-2026-41283
was published
for
mistral
(pip)
Jun 4, 2026
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Moderate
CVE-2026-45670
was published
for
@nuxt/rspack-builder
(npm)
May 19, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Moderate
CVE-2026-49993
was published
for
@nuxt/rspack-builder
(npm)
Jun 16, 2026
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
Critical
CVE-2026-53633
was published
for
@vitest/browser
(npm)
Jun 15, 2026
filebrowser Allows Shell Commands to Spawn Other Commands
High
CVE-2025-52903
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jun 27, 2025
Nautobot: GitRepository.current_head field should not be writable through REST API
High
CVE-2026-44798
was published
for
nautobot
(pip)
May 13, 2026
view_component: Preview Route Can Dispatch Inherited Helper Methods
Moderate
CVE-2026-44836
was published
for
view_component
(RubyGems)
May 8, 2026
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
High
CVE-2026-45805
was published
for
@penpot/mcp
(npm)
May 19, 2026
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
Moderate
CVE-2026-6402
was published
for
webpack-dev-server
(npm)
May 18, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30921
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
High
CVE-2026-22812
was published
for
opencode-ai
(npm)
Jan 13, 2026
Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools
High
CVE-2025-9611
was published
for
@playwright/mcp
(npm)
Jan 7, 2026
Self-hosted n8n has Legacy Code node that enables arbitrary file read/write
High
CVE-2025-68697
was published
for
n8n
(npm)
Dec 26, 2025
Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode
High
CVE-2025-64443
was published
for
github.com/docker/mcp-gateway
(Go)
Dec 3, 2025
Improper Input Validation in Apache Struts
High
CVE-2006-1547
was published
for
struts:struts
(Maven)
May 1, 2022
webpack-dev-server users' source code may be stolen when they access a malicious web site
Moderate
CVE-2025-30359
was published
for
webpack-dev-server
(npm)
Jun 4, 2025
TYPO3 Cross-Site Request Forgery in Log Module
Moderate
CVE-2024-55893
was published
for
typo3/cms-belog
(Composer)
Jan 14, 2025
TYPO3 Cross-Site Request Forgery in Backend User Module
Moderate
CVE-2024-55894
was published
for
typo3/cms-beuser
(Composer)
Jan 14, 2025
TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery
Moderate
CVE-2024-55945
was published
for
typo3/cms-lowlevel
(Composer)
Jan 14, 2025
TYPO3 Scheduler Module vulnerable to Cross-Site Request Forgery
High
CVE-2024-55924
was published
for
typo3/cms-scheduler
(Composer)
Jan 14, 2025
TYPO3 Cross-Site Request Forgery in Dashboard Module
Moderate
CVE-2024-55920
was published
for
typo3/cms-dashboard
(Composer)
Jan 14, 2025
TYPO3 Extension Manager Module vulnerable to Cross-Site Request Forgery
High
CVE-2024-55921
was published
for
typo3/cms-extensionmanager
(Composer)
Jan 14, 2025
TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery
Moderate
CVE-2024-55922
was published
for
typo3/cms-form
(Composer)
Jan 14, 2025
ProTip!
Advisories are also available from the
GraphQL API