Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

31,183 advisories

Loading
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` Moderate
CVE-2026-47200 was published for @nuxt/nitro-server (npm) May 29, 2026
rmtsixq Credited to rmtsixq
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling High
CVE-2026-45742 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
uokik Credited to uokik
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename High
CVE-2026-44829 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) High
CVE-2026-44492 was published for axios (npm) May 29, 2026
HamdaanAliQuatil Credited to HamdaanAliQuatil
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions Moderate
CVE-2026-44490 was published for axios (npm) May 29, 2026
Tal-Gav Credited to Tal-Gav
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
Froxlor has an incomplete fix for CVE-2026-30932 Moderate
CVE-2026-41237 was published for froxlor/froxlor (Composer) May 29, 2026
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path High
CVE-2026-41236 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement High
CVE-2026-41235 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands High
CVE-2026-48501 was published for github.com/cli/cli/v2 (Go) May 29, 2026
BagToad Credited to BagToad, kommendorkapten, and babakks kommendorkapten kommendorkapten
babakks babakks
HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint High
CVE-2026-48527 was published for @haxtheweb/haxcms-nodejs (npm) May 29, 2026
kn1ph Credited to kn1ph
tuf has platform-dependent delegation path matching Moderate
GHSA-qp9x-wp8f-qgjj was published for tuf (pip) May 28, 2026
kodareef5 Credited to kodareef5
Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives High
CVE-2026-47179 was published for github.com/getarcaneapp/arcane/backend (Go) May 28, 2026
offset Credited to offset
Dulwich Vulnerable to Command Injection via Merge Driver Path High
CVE-2026-42563 was published for dulwich (pip) May 28, 2026
hayageek Credited to hayageek
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows High
CVE-2026-42305 was published for dulwich (pip) May 28, 2026
ctoth Credited to ctoth and jelmer jelmer jelmer
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save High
CVE-2026-5394 was published for pimcore/pimcore (Composer) May 28, 2026
researchatfluidattacks Credited to researchatfluidattacks
FUXA provides guest and invalid-token access to protected read APIs in secure mode Moderate
CVE-2026-47718 was published for fuxa-server (npm) May 28, 2026
north-echo Credited to north-echo
Shamefile has an arbitrary file read via shamefile.yaml in shame next Moderate
CVE-2026-47144 was published for shamefile (npm) May 28, 2026
BKDDFS Credited to BKDDFS
nono: Sandbox escape on Linux via D-Bus: `systemd-run --user` Moderate
CVE-2026-47128 was published for nono-cli (Rust) May 28, 2026
cgwalters Credited to cgwalters and NickCao NickCao NickCao
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form Low
CVE-2026-46644 was published for symfony/polyfill (Composer) May 28, 2026
nicolas-grekas Credited to nicolas-grekas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database