Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,421 advisories

Loading
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization Moderate
CVE-2026-44311 was published for fabric (npm) Jun 12, 2026
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
esbuild allows arbitrary file read when running the development server on Windows Low
GHSA-g7r4-m6w7-qqqr was published for esbuild (npm) Jun 12, 2026
dellalibera Credited to dellalibera
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema High
CVE-2026-48151 was published for @budibase/server (npm) Jun 12, 2026
liyander Credited to liyander
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign Critical
CVE-2026-48150 was published for @budibase/server (npm) Jun 12, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF Moderate
CVE-2026-48148 was published for @budibase/server (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker Moderate
CVE-2026-48147 was published for @budibase/backend-core (npm) Jun 12, 2026
b-hermes Credited to b-hermes
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection High
CVE-2026-48146 was published for @budibase/server (npm) Jun 12, 2026
axel-corsiez Credited to axel-corsiez
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step Moderate
CVE-2026-48128 was published for budibase (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access Moderate
CVE-2026-48121 was published for @langchain/langgraph-checkpoint-mongodb (npm) Jun 12, 2026
Nagendhra-web Credited to Nagendhra-web, etairl, and hntrl etairl etairl
hntrl hntrl
@hapi/inert has a static-file confinement bypass via sibling-prefix path Moderate
CVE-2026-48049 was published for @hapi/inert (npm) Jun 11, 2026
imssm99 Credited to imssm99
@grpc/grpc-js: A malformed request can cause a server crash High
CVE-2026-48068 was published for @grpc/grpc-js (npm) Jun 11, 2026
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash High
CVE-2026-48069 was published for @grpc/grpc-js (npm) Jun 11, 2026
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas Moderate
CVE-2026-48038 was published for joi (npm) Jun 11, 2026
kexwin Credited to kexwin
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri High
CVE-2026-48054 was published for @openzeppelin/wizard (npm) Jun 11, 2026
232-323 Credited to 232-323 and knm6777 knm6777 knm6777
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects Moderate
CVE-2026-48022 was published for @hapi/wreck (npm) Jun 11, 2026
SnailSploit Credited to SnailSploit
Element Call reports full URLs of visited pages to analytics server High
CVE-2026-48007 was published for @element-hq/element-call-embedded (npm) Jun 11, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload Critical
CVE-2026-48063 was published for @whiskeysockets/baileys (npm) Jun 10, 2026
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system Low
CVE-2026-48051 was published for @papra/webhooks (npm) Jun 10, 2026
FredrikEV Credited to FredrikEV
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture Moderate
CVE-2026-48037 was published for @hulumi/baseline (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts High
CVE-2026-48036 was published for @hulumi/drift (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened High
CVE-2026-48035 was published for @hulumi/baseline (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name High
CVE-2026-48033 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database