Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,880
Maven
5,000+
npm
5,000+
NuGet
958
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,364
Swift
54
Unreviewed advisories
All unreviewed
5,000+

6,265 advisories

Loading
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification Moderate
GHSA-59fh-9f3p-7m39 was published for flowise (npm) May 20, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage Moderate
GHSA-m837-xvxr-vqwg was published for flowise (npm) May 20, 2026
DeathsPirate Credited to DeathsPirate
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) Critical
CVE-2026-46421 was published for @cap-js/db-service (npm) May 20, 2026
patricebender Credited to patricebender and chgeo chgeo chgeo
@angular/platform-server: SSRF via Hostname Hijacking High
CVE-2026-46417 was published for @angular/platform-server (npm) May 19, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, VenkatKwest, and dgp1130 AndrewKushnir AndrewKushnir
VenkatKwest VenkatKwest dgp1130 dgp1130
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm Critical
CVE-2026-46412 was published for @beproduct/nestjs-auth (npm) May 19, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl High
CVE-2026-46372 was published for sillytavern (npm) May 19, 2026
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes High
CVE-2026-45783 was published for @libp2p/kad-dht (npm) May 19, 2026
tahaafarooq Credited to tahaafarooq
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE High
CVE-2026-45805 was published for @penpot/mcp (npm) May 19, 2026
AyushParkara Credited to AyushParkara and overgrowncarrot1 overgrowncarrot1 overgrowncarrot1
HAX CMS: Denial of Service using Malicious Import Request Moderate
CVE-2026-46357 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
silentrex04 Credited to silentrex04
Trubo: Login callback CSRF/session fixation Moderate
CVE-2026-45773 was published for turbo (npm) May 19, 2026
Turbo: Unexpected local code execution during Yarn Berry detection Low
CVE-2026-45772 was published for @turbo/codemod (npm) May 19, 2026
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes Critical
CVE-2026-46339 was published for 9router (npm) May 19, 2026
sondt99 Credited to sondt99
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching Moderate
CVE-2026-46341 was published for @apify/actors-mcp-server (npm) May 19, 2026
yotampe-pluto Credited to yotampe-pluto
Budibase: Unrestricted Upload of File with Dangerous Type High
CVE-2026-46426 was published for budibase (npm) May 19, 2026
da7om85 Credited to da7om85
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour Moderate
CVE-2026-46424 was published for @budibase/backend-core (npm) May 19, 2026
offset Credited to offset
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion Moderate
CVE-2026-45740 was published for protobufjs (npm) May 19, 2026
fasrm Credited to fasrm
n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass Moderate
GHSA-3875-8gcx-7v46 was published for n8n (npm) May 19, 2026
vnth4nhnt Credited to vnth4nhnt
n8n: Legacy ExecuteWorkflow Node Bypassed File Path Restrictions Moderate
GHSA-2vx9-7wpg-88jq was published for n8n (npm) May 19, 2026
YLChen-007 Credited to YLChen-007
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) Moderate
CVE-2026-45670 was published for @nuxt/rspack-builder (npm) May 19, 2026
sapphi-red Credited to sapphi-red
Nuxt: Reflected XSS in `navigateTo()` external redirect Moderate
CVE-2026-45669 was published for nuxt (npm) May 19, 2026
Mr-In4inci3le Credited to Mr-In4inci3le
auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs High
GHSA-hv85-774v-26fg was published for auth-fetch-mcp (npm) May 19, 2026
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack High
CVE-2026-46511 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database