GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,449 advisories
Filter by severity
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Critical
GHSA-g936-7jqj-mwv8
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Critical
CVE-2026-50551
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Critical
CVE-2026-54159
was published
for
prestashop/ps_facetedsearch
(Composer)
Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
Critical
CVE-2026-54158
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
`exploration` was removed from crates.io for malicious code
Critical
GHSA-99j7-fhr2-xfj4
was published
for
exploration
(Rust)
Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
Critical
CVE-2026-54069
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
Critical
CVE-2026-54072
was published
for
github.com/authorizerdev/authorizer
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
Critical
CVE-2026-54067
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
Critical
CVE-2026-52778
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize
Critical
CVE-2026-52777
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action
Critical
CVE-2026-52766
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE
Critical
CVE-2026-52831
was published
for
github.com/nuclio/nuclio
(Go)
Jul 8, 2026
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
EGroupware has a Remote Code Execution Vulnerability
Critical
CVE-2026-27823
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness
Critical
CVE-2026-54496
was published
for
halo2_gadgets
(Rust)
Jul 6, 2026
Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Critical
CVE-2026-55615
was published
for
langroid
(pip)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent
Critical
CVE-2026-54769
was published
for
langroid
(pip)
Jul 6, 2026
Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls
Critical
CVE-2026-54760
was published
for
langroid
(pip)
Jul 6, 2026
ProTip!
Advisories are also available from the
GraphQL API