Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

11,032 advisories

Loading
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests High
CVE-2026-44982 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
mmarting Credited to mmarting
Deno's TLS retry copies stale upgrade hook, risking plaintext traffic High
CVE-2026-44726 was published for deno (Rust) May 27, 2026
r3wretrhy Credited to r3wretrhy
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex High
CVE-2026-45617 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend High
CVE-2026-45368 was published for getkirby/cms (Composer) May 27, 2026
offset Credited to offset
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) High
CVE-2026-45357 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling High
CVE-2026-45260 was published for pimcore/pimcore (Composer) May 27, 2026
larlarua Credited to larlarua
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction High
CVE-2026-45162 was published for pimcore/pimcore (Composer) May 27, 2026
tikket1 Credited to tikket1
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator High
CVE-2026-45063 was published for symfony/security-http (Composer) May 27, 2026
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters High
CVE-2026-44974 was published for @hapi/content (npm) May 27, 2026
threalwinky Credited to threalwinky
Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter High
CVE-2026-44741 was published for pimcore/admin-ui-classic-bundle (Composer) May 27, 2026
tikket1 Credited to tikket1
Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration High
CVE-2026-44739 was published for pimcore/pimcore (Composer) May 27, 2026
msayedZiko Credited to msayedZiko
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape High
CVE-2026-44705 was published for tmp (npm) May 27, 2026
Gyde04 Credited to Gyde04 and MaanVader MaanVader MaanVader
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup High
CVE-2026-44177 was published for getkirby/cms (Composer) May 26, 2026
offset Credited to offset
Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend High
CVE-2026-44175 was published for getkirby/cms (Composer) May 26, 2026
offset Credited to offset
Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints High
CVE-2026-44174 was published for getkirby/cms (Composer) May 26, 2026
mojamojam Credited to mojamojam
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass High
CVE-2026-43947 was published for fuxa-server (npm) May 26, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue High
CVE-2026-43946 was published for fuxa-server (npm) May 26, 2026
anyzy2003 Credited to anyzy2003
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection High
CVE-2026-43945 was published for @frangoteam/fuxa (npm) May 26, 2026
ud444ng Credited to ud444ng
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring High
CVE-2026-42462 was published for @fedify/fedify (npm) May 26, 2026
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation High
CVE-2026-42089 was published for yeoman-environment (npm) May 26, 2026
mshima Credited to mshima, UlisesGascon, and 0xmrma UlisesGascon UlisesGascon
0xmrma 0xmrma
XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests High
CVE-2026-48048 was published for org.xwiki.platform:xwiki-platform-livetable-ui (Maven) May 26, 2026
Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview High
CVE-2026-28445 was published for @typebot.io/js (npm) May 26, 2026
bugbunny-research Credited to bugbunny-research
Arcane: Missing admin authorization on global variables endpoint High
CVE-2026-47125 was published for github.com/getarcaneapp/arcane/backend (Go) May 23, 2026
offset Credited to offset
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database