GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
677 advisories
Filter by severity
laravel-backup-restore has an OS Command Injection during database restore
High
CVE-2026-53932
was published
for
wnx/laravel-backup-restore
(Composer)
Jul 9, 2026
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE
Critical
CVE-2026-52831
was published
for
github.com/nuclio/nuclio
(Go)
Jul 8, 2026
EGroupware has Authenticated RCE via Malicious eTemplate Upload
High
CVE-2026-40187
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command
High
CVE-2026-55426
was published
for
linuxfabrik-lib
(pip)
Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
High
CVE-2026-55427
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`
High
CVE-2026-55786
was published
for
flyto-core
(pip)
Jul 6, 2026
9router: Missing Authorization and OS Command Injection
Critical
CVE-2026-59800
was published
for
9router
(npm)
Jul 2, 2026
electerm has Command Injection in File System Operations (rmrf, mv, cp)
High
CVE-2026-49255
was published
for
electerm
(npm)
Jul 2, 2026
Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
High
GHSA-vv65-f55v-xm6g
was published
for
@grackle-ai/powerline
(npm)
Jul 2, 2026
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
High
CVE-2026-44454
was published
for
github.com/coder/coder
(Go)
Jul 2, 2026
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
High
GHSA-mhq8-78pj-5j79
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw's marketplace runtime extension metadata could point at unscanned payloads
High
CVE-2026-53810
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn
Moderate
GHSA-qh2f-99mv-mrcf
was published
for
openclaw
(npm)
Jul 2, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
High
CVE-2026-55697
was published
for
pnpm
(npm)
Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
High
CVE-2026-49260
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths
Moderate
GHSA-5vwr-qchf-q4pf
was published
for
@cyclonedx/cdxgen
(npm)
Jun 26, 2026
ImageMagick: Policy Bypass can read disallowed files via symlink
Moderate
CVE-2026-49219
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 25, 2026
Mise's local credential_command executes untrusted config
Moderate
CVE-2026-55448
was published
for
mise
(Rust)
Jun 23, 2026
Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository
High
CVE-2026-55441
was published
for
mise
(Rust)
Jun 23, 2026
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
High
CVE-2026-55173
was published
for
wwbn/avideo
(Composer)
Jun 23, 2026
Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
High
CVE-2026-46606
was published
for
glances
(pip)
Jun 22, 2026
githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow
High
GHSA-c3xh-98xp-6qhf
was published
for
gouef/githubtoplanguages
(GitHub Actions)
Jun 19, 2026
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
High
CVE-2026-55849
was published
for
@cyclonedx/cyclonedx-npm
(npm)
Jun 19, 2026
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
High
GHSA-vcv2-r9jh-99m5
was published
for
agentic-flow
(npm)
Jun 19, 2026
agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution
High
GHSA-wg5p-8h9p-3mr7
was published
for
agent-coderag
(pip)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API