GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,460 advisories
Filter by severity
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE
Critical
GHSA-hgjx-r89m-m7v4
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import — Tiddler Startup Module Auto-Execution
Critical
GHSA-9hc2-hjx8-q6pv
was published
for
tidgi
(npm)
Jul 14, 2026
OpenStack Mistral allows Arbitrary Remote Code Execution when the API is exposed
Critical
CVE-2026-41283
was published
for
mistral
(pip)
Jun 4, 2026
n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments
Critical
CVE-2026-54052
was published
for
n8n-mcp
(npm)
Jul 14, 2026
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
Critical
CVE-2026-50006
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`
Critical
CVE-2026-45262
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
Critical
CVE-2026-52824
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
FacturaScripts: Account takeover of any 2FA-enabled user
Critical
CVE-2026-47677
was published
for
facturascripts/facturascripts
(Composer)
Jul 13, 2026
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval
Critical
CVE-2026-61667
was published
for
DIRAC
(pip)
Jul 13, 2026
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass
Critical
CVE-2026-47065
was published
for
org.apache.mina:mina-core
(Maven)
Jun 3, 2026
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input
Critical
CVE-2026-45579
was published
for
DIRAC
(pip)
Jul 13, 2026
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Critical
GHSA-g936-7jqj-mwv8
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Critical
CVE-2026-50551
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Critical
CVE-2026-54159
was published
for
prestashop/ps_facetedsearch
(Composer)
Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
Critical
CVE-2026-54158
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
`exploration` was removed from crates.io for malicious code
Critical
GHSA-99j7-fhr2-xfj4
was published
for
exploration
(Rust)
Jul 10, 2026
MLflow: Environment variable injection in AI Gateway secrets enables server-side credential exfiltration
Critical
CVE-2026-4035
was published
for
mlflow
(pip)
Jun 3, 2026
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
Critical
CVE-2026-54069
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
Critical
CVE-2026-54072
was published
for
github.com/authorizerdev/authorizer
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
Critical
CVE-2026-54067
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses
Critical
CVE-2026-39830
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys
Critical
CVE-2026-39832
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status
Critical
CVE-2026-42508
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
ProTip!
Advisories are also available from the
GraphQL API