GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
327 advisories
Filter by severity
Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries
Low
GHSA-6c87-g9pw-78fx
was published
for
github.com/edgelesssys/contrast
(Go)
Jul 1, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Moderate
CVE-2026-41262
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 26, 2026
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration
Low
CVE-2026-48709
was published
for
github.com/OliveTin/OliveTin
(Go)
Jun 24, 2026
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
Moderate
CVE-2026-50179
was published
for
@actual-app/web
(npm)
Jun 22, 2026
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
High
CVE-2026-54351
was published
for
@budibase/server
(npm)
Jun 22, 2026
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
Moderate
CVE-2026-46700
was published
for
@actual-app/sync-server
(npm)
Jun 22, 2026
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper
Moderate
CVE-2026-46672
was published
for
@actual-app/cli
(npm)
Jun 22, 2026
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
Moderate
CVE-2026-33731
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
Moderate
CVE-2026-33684
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change
Low
GHSA-97pr-9hgg-3p8r
was published
for
parse-server
(npm)
Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Moderate
CVE-2026-55847
was published
for
io.qameta.allure:allure-generator
(Maven)
Jun 19, 2026
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
Moderate
CVE-2026-55846
was published
for
io.qameta.allure:allure-commandline
(Maven)
Jun 19, 2026
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Moderate
CVE-2026-53726
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Moderate
CVE-2026-53725
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Low
CVE-2026-53724
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Server option routeAllowList is bypassable through batch sub-requests
Moderate
CVE-2026-50008
was published
for
parse-server
(npm)
Jun 19, 2026
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
Low
GHSA-vxr8-fq34-vvx9
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
Moderate
GHSA-76mc-f452-cxcm
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
Moderate
CVE-2026-49458
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
Moderate
CVE-2026-49459
was published
for
dompurify
(npm)
Jun 15, 2026
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Moderate
CVE-2026-49397
was published
for
github.com/nezhahq/nezha
(Go)
Jun 10, 2026
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47419
was published
for
praisonai-platform
(pip)
Jun 5, 2026
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation
Moderate
CVE-2026-48013
was published
for
shopware/core
(Composer)
Jun 4, 2026
Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Moderate
CVE-2026-48014
was published
for
shopware/core
(Composer)
Jun 4, 2026
ProTip!
Advisories are also available from the
GraphQL API