Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,723
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,947
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

4,093 advisories

Loading
Compromised version of intercom-client published to npm Critical
GHSA-54pg-9963-v8vg was published for intercom-client (npm) May 7, 2026
Compromised tag of intercom-php published via GitHub Critical
GHSA-gr3r-crp5-qrrm was published for intercom/intercom-php (Composer) May 7, 2026
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution Critical
CVE-2026-44007 was published for vm2 (npm) May 7, 2026
akshatgit Credited to akshatgit
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
vm2 Access to Host Object Enables Sandbox Escape Critical
CVE-2026-43997 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
vm2 has a Sandbox Escape Vulnerability Critical
CVE-2026-44006 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion Critical
CVE-2026-44542 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
Yesuhei Credited to Yesuhei
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook Critical
CVE-2026-42596 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
R1ZZG0D Credited to R1ZZG0D
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Compromise of PyTorch Lightning PyPi Package Versions Critical
CVE-2026-44484 was published for pytorch-lightning (pip) May 7, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
misp-modules website - Missing CSRF protection in the website home blueprint Critical
CVE-2026-44364 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users Critical
CVE-2026-42555 was published for com.ritense.valtimo:case (Maven) May 6, 2026
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
GHSA-289f-fq7w-6q2w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
GHSA-9pq7-mfwh-xx2j was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules Critical
CVE-2026-44262 was published for dedoc/scramble (Composer) May 6, 2026
FORIMOC Credited to FORIMOC
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore Critical
CVE-2026-42238 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
captain99hook Credited to captain99hook
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API Critical
CVE-2026-29090 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API Critical
CVE-2026-29080 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database