Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

39 advisories

Loading
OpenStack Mistral allows Arbitrary Remote Code Execution when the API is exposed Critical
CVE-2026-41283 was published for mistral (pip) Jun 4, 2026
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) Moderate
CVE-2026-45670 was published for @nuxt/rspack-builder (npm) May 19, 2026
sapphi-red Credited to sapphi-red
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
CVE-2026-26190 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
0x1f Credited to 0x1f and cookesan cookesan cookesan
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2 and DavidCarliez DavidCarliez DavidCarliez
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE Critical
CVE-2026-53633 was published for @vitest/browser (npm) Jun 15, 2026
filebrowser Allows Shell Commands to Spawn Other Commands High
CVE-2025-52903 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 27, 2025
mtausig Credited to mtausig and hacdias hacdias hacdias
Nautobot: GitRepository.current_head field should not be writable through REST API High
CVE-2026-44798 was published for nautobot (pip) May 13, 2026
holmie Credited to holmie
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE High
CVE-2026-45805 was published for @penpot/mcp (npm) May 19, 2026
AyushParkara Credited to AyushParkara and overgrowncarrot1 overgrowncarrot1 overgrowncarrot1
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins Moderate
CVE-2026-6402 was published for webpack-dev-server (npm) May 18, 2026
sapphi-red Credited to sapphi-red, UlisesGascon, bjohansebas, and alexander-akait UlisesGascon UlisesGascon
bjohansebas bjohansebas alexander-akait alexander-akait
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30957 was published for @oneuptime/common (npm) Mar 10, 2026
maru1009 Credited to maru1009
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30921 was published for @oneuptime/common (npm) Mar 7, 2026
maru1009 Credited to maru1009
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution High
CVE-2026-22812 was published for opencode-ai (npm) Jan 13, 2026
CyberShadow Credited to CyberShadow
Self-hosted n8n has Legacy Code node that enables arbitrary file read/write High
CVE-2025-68697 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu Credited to berkdedekarginoglu
Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode High
CVE-2025-64443 was published for github.com/docker/mcp-gateway (Go) Dec 3, 2025
JLLeitschuh Credited to JLLeitschuh
Improper Input Validation in Apache Struts High
CVE-2006-1547 was published for struts:struts (Maven) May 1, 2022
webpack-dev-server users' source code may be stolen when they access a malicious web site Moderate
CVE-2025-30359 was published for webpack-dev-server (npm) Jun 4, 2025
sapphi-red Credited to sapphi-red
TYPO3 Cross-Site Request Forgery in Log Module Moderate
CVE-2024-55893 was published for typo3/cms-belog (Composer) Jan 14, 2025
zly123987 Credited to zly123987, shm0sby, and rosegabe shm0sby shm0sby
rosegabe rosegabe
TYPO3 Cross-Site Request Forgery in Backend User Module Moderate
CVE-2024-55894 was published for typo3/cms-beuser (Composer) Jan 14, 2025
zly123987 Credited to zly123987, shm0sby, and rosegabe shm0sby shm0sby
rosegabe rosegabe
TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery Moderate
CVE-2024-55945 was published for typo3/cms-lowlevel (Composer) Jan 14, 2025
shm0sby Credited to shm0sby and rosegabe rosegabe rosegabe
TYPO3 Scheduler Module vulnerable to Cross-Site Request Forgery High
CVE-2024-55924 was published for typo3/cms-scheduler (Composer) Jan 14, 2025
shm0sby Credited to shm0sby and rosegabe rosegabe rosegabe
TYPO3 Cross-Site Request Forgery in Dashboard Module Moderate
CVE-2024-55920 was published for typo3/cms-dashboard (Composer) Jan 14, 2025
TYPO3 Extension Manager Module vulnerable to Cross-Site Request Forgery High
CVE-2024-55921 was published for typo3/cms-extensionmanager (Composer) Jan 14, 2025
TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery Moderate
CVE-2024-55922 was published for typo3/cms-form (Composer) Jan 14, 2025
ProTip! Advisories are also available from the GraphQL API