Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,595 advisories

Loading
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config High
GHSA-qrv3-253h-g69c was published for pnpm (npm) Jun 27, 2026
5h1kh4r Credited to 5h1kh4r
pnpm: `patch-remove` could delete project-selected files outside the patches directory High
GHSA-72r4-9c5j-mj57 was published for pnpm (npm) Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules High
GHSA-fr4h-3cph-29xv was published for pnpm (npm) Jun 27, 2026
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal High
CVE-2026-55700 was published for pnpm (npm) Jun 26, 2026
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes High
CVE-2026-55698 was published for pnpm (npm) Jun 26, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine High
CVE-2026-55697 was published for pnpm (npm) Jun 26, 2026
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) High
CVE-2026-50015 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement High
CVE-2026-50016 was published for pnpm (npm) Jun 26, 2026
aszx87410 Credited to aszx87410
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals High
CVE-2026-49293 was published for js-toml (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication High
CVE-2026-49357 was published for line-desktop-mcp (npm) Jun 26, 2026
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server High
GHSA-3p34-w4f6-5xh2 was published for better-helperjs (npm) Jun 26, 2026
TurboRigby Credited to TurboRigby
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key High
GHSA-fhp4-pr5j-46m5 was published for muhammara (npm) Jun 26, 2026
r3d5t0x3 Credited to r3d5t0x3
LinkifyIt#match scan loop has quadratic algorithmic complexity High
CVE-2026-48801 was published for linkify-it (npm) Jun 26, 2026
hillalee Credited to hillalee
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override High
CVE-2026-54351 was published for @budibase/server (npm) Jun 22, 2026
offset Credited to offset
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens High
CVE-2026-49229 was published for @actual-app/sync-server (npm) Jun 22, 2026
pyuysig Credited to pyuysig and MatissJanis MatissJanis MatissJanis
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials High
CVE-2026-50137 was published for @budibase/server (npm) Jun 22, 2026
tonghuaroot Credited to tonghuaroot
Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials High
CVE-2026-50136 was published for @budibase/server (npm) Jun 22, 2026
liyander Credited to liyander
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF High
CVE-2026-50132 was published for @budibase/server (npm) Jun 22, 2026
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata High
CVE-2026-48153 was published for @budibase/server (npm) Jun 22, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Lokka: Azure Resource Manager URL path validation issue High
GHSA-g2gw-q38m-vjfc was published for @merill/lokka (npm) Jun 19, 2026
hackchang Credited to hackchang
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing High
GHSA-h5x8-xp6m-x6q4 was published for @jhb.software/payload-cloudinary-plugin (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) High
GHSA-x975-rgx4-5fh4 was published for appium-mcp (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database