Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,305 advisories

Loading
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string Critical
CVE-2026-48713 was published for i18next-fs-backend (npm) Jun 25, 2026
codeswhite Credited to codeswhite
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names Critical
CVE-2026-48714 was published for i18next-http-middleware (npm) Jun 25, 2026
codeswhite Credited to codeswhite
Budibase has nonymous NoSQL operator injection via published-app query templates Critical
CVE-2026-54350 was published for @budibase/server (npm) Jun 23, 2026
kah-ja Credited to kah-ja
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload Critical
CVE-2026-54352 was published for @budibase/server (npm) Jun 22, 2026
kah-ja Credited to kah-ja
scimPatch vulnerable to prototype pollution via unfiltered keys in patch Critical
CVE-2026-48170 was published for scim-patch (npm) Jun 22, 2026
McHippy3 Credited to McHippy3 and leewang0 leewang0 leewang0
Network-AI: Improper Neutralization of Special Elements used in an OS Command Critical
CVE-2026-54051 was published for network-ai (npm) Jun 19, 2026
lexdotdev Credited to lexdotdev
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests Critical
CVE-2026-48814 was published for network-ai (npm) Jun 19, 2026
SnailSploit Credited to SnailSploit
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755) Critical
CVE-2026-0755 was published for gemini-mcp-tool (npm) Jun 18, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken() Critical
GHSA-gfj5-979r-92pw was published for @acastellon/auth (npm) Jun 18, 2026
hackchang Credited to hackchang
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call Critical
GHSA-j4f3-55x4-r6q2 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation Critical
GHSA-9752-mhqh-h34f was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool Critical
GHSA-p69m-4f92-2v84 was published for praisonai (npm) Jun 18, 2026
sondt99 Credited to sondt99
npm PraisonAI codeMode sandbox escape via Function constructor Critical
GHSA-vmmj-pfw7-fjwp was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
LobeHub: Unauthenticated SSRF in `/webapi/proxy` Critical
CVE-2026-54157 was published for @lobehub/lobehub (npm) Jun 16, 2026
0xj3st3r Credited to 0xj3st3r
Remotion: arbitrary file write vulnerability Critical
CVE-2026-30121 was published for remotion (npm) Jun 15, 2026
Remotion: remote code execution (RCE) vulnerability Critical
CVE-2026-30120 was published for remotion (npm) Jun 15, 2026
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow Critical
CVE-2026-54257 was published for electron (npm) Jun 15, 2026
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE Critical
CVE-2026-53633 was published for @vitest/browser (npm) Jun 15, 2026
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign Critical
CVE-2026-48150 was published for @budibase/server (npm) Jun 12, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload Critical
CVE-2026-48063 was published for @whiskeysockets/baileys (npm) Jun 10, 2026
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
shell-quote quote() does not escape newlines in object .op values Critical
CVE-2026-9277 was published for shell-quote (npm) Jun 9, 2026
akshatgit Credited to akshatgit and ljharb ljharb ljharb
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews. Critical
CVE-2026-47430 was published for cordova-plugin-inappbrowser (npm) Jun 8, 2026
NiklasMerz Credited to NiklasMerz
Authenticated Remote Code Execution via loadReader functionName code injection in DbGate Critical
CVE-2026-47670 was published for dbgate-api (npm) Jun 5, 2026
tomasvanagas Credited to tomasvanagas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database