Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
2,891
Erlang
24
GitHub Actions
39
Go
2,240
Maven
2,698
npm
2,899
NuGet
500
pip
2,728
Pub
5
RubyGems
364
Rust
889
Swift
19
Unreviewed advisories
All unreviewed
5,000+

15,098 advisories

Loading
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters High
GHSA-5fgg-jcpf-8jjw was published for i18next-http-middleware (npm) Apr 22, 2026
Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API High
CVE-2026-41422 was published for github.com/daptin/daptin (Go) Apr 22, 2026
VashuVats Credited to VashuVats
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) Moderate
CVE-2026-41240 was published for dompurify (npm) Apr 22, 2026
kodareef5 Credited to kodareef5
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode Moderate
CVE-2026-41239 was published for dompurify (npm) Apr 22, 2026
bencalif Credited to bencalif
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41203 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41202 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS Moderate
CVE-2026-41201 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
bugmithlegend Credited to bugmithlegend and DexterHK DexterHK DexterHK
PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes High
GHSA-mh6w-vxff-9wqp was published for phpunit/phpunit (Composer) Apr 22, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied and ncw ncw ncw
Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution Critical
CVE-2026-41176 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied and ncw ncw ncw
OpenRemote has Improper Access Control via updateUserRealmRoles function High
CVE-2026-41166 was published for io.openremote:openremote-manager (Maven) Apr 22, 2026
KKC73 Credited to KKC73
actix-http has HTTP/1.1 CL.TE Request Smuggling Moderate
GHSA-xhj4-vrgc-hr34 was published for actix-http (Rust) Apr 22, 2026
mufeedvh Credited to mufeedvh
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
@saltcorn/data: Tenant user role is used for tenant creation role check High
GHSA-9237-rg5p-rhfw was published for @saltcorn/data (npm) Apr 22, 2026
j2l Credited to j2l
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access Critical
CVE-2026-41070 was published for github.com/jkroepke/openvpn-auth-oauth2 (Go) Apr 22, 2026
kkalev Credited to kkalev
Astro: XSS in define:vars via incomplete </script> tag sanitization Moderate
CVE-2026-41067 was published for astro (npm) Apr 21, 2026
offset Credited to offset
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files High
CVE-2026-41066 was published for lxml (pip) Apr 21, 2026
Brubbish Credited to Brubbish
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and kodareef5 vdemeester vdemeester
kodareef5 kodareef5
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset and vdemeester vdemeester vdemeester
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, and aThorp96 vdemeester vdemeester
aThorp96 aThorp96
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
Brillig: Heap corruption in foreign call results with nested tuple arrays Critical
CVE-2026-41197 was published for brillig (Rust) Apr 21, 2026
free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation Moderate
CVE-2026-40343 was published for github.com/free5gc/udr (Go) Apr 21, 2026
Giancannella Credited to Giancannella
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database