Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31,590 advisories

Loading
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators High
GHSA-9wcp-79g5-5c3c was published for com.appsmith:server (Maven) Jun 12, 2026
Moonster8282 Credited to Moonster8282
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF Moderate
CVE-2026-48148 was published for @budibase/server (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker Moderate
CVE-2026-48147 was published for @budibase/backend-core (npm) Jun 12, 2026
b-hermes Credited to b-hermes
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution Moderate
CVE-2025-58175 was published for org.geoserver.web:gs-web-app (Maven) Jun 12, 2026
lemauanhphong Credited to lemauanhphong and jodygarnett jodygarnett jodygarnett
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page High
CVE-2025-52465 was published for org.geoserver.web:gs-web-app (Maven) Jun 12, 2026
YacineF Credited to YacineF, sikeoka, partywavesec, and jodygarnett sikeoka sikeoka
partywavesec partywavesec jodygarnett jodygarnett
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection High
CVE-2026-48146 was published for @budibase/server (npm) Jun 12, 2026
axel-corsiez Credited to axel-corsiez
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step Moderate
CVE-2026-48128 was published for budibase (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec Low
CVE-2026-28898 was published for github.com/apple/swift-nio-http2 (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran
NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length Moderate
CVE-2026-28975 was published for github.com/apple/swift-nio-extras (Swift) Jun 12, 2026
nathanielmiller23 Credited to nathanielmiller23
SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS High
CVE-2026-28980 was published for github.com/apple/swift-nio (Swift) Jun 12, 2026
Joannis Credited to Joannis
SwiftNIO: Out-of-bounds write via ByteBuffer index and length UInt32 overflow High
CVE-2026-43671 was published for github.com/apple/swift-nio (Swift) Jun 12, 2026
SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator Moderate
CVE-2026-28970 was published for github.com/apple/swift-nio (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran and YLChen-007 YLChen-007 YLChen-007
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access Moderate
CVE-2026-48121 was published for @langchain/langgraph-checkpoint-mongodb (npm) Jun 12, 2026
Nagendhra-web Credited to Nagendhra-web, etairl, and hntrl etairl etairl
hntrl hntrl
Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig) Moderate
GHSA-6jq6-x4cx-qvcm was published for grumpydictator/firefly-iii (Composer) Jun 12, 2026
alanturing881 Credited to alanturing881
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() Moderate
GHSA-9r4w-jg96-92mv was published for github.com/google/go-attestation (Go) Jun 12, 2026
prasanna8585 Credited to prasanna8585
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection High
CVE-2026-48113 was published for github.com/jpillora/chisel (Go) Jun 12, 2026
mzfr Credited to mzfr
MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input High
CVE-2026-48109 was published for MessagePack (NuGet) Jun 11, 2026
AArnott Credited to AArnott
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds High
CVE-2026-48110 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance High
CVE-2026-11401 was published for github.com/aws/aws-advanced-go-wrapper/auth-helpers (Go) Jun 11, 2026
ph0smet Credited to ph0smet
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input Moderate
CVE-2026-48108 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
Russh: Unchecked keyboard-interactive prompt count in client auth path Moderate
CVE-2026-48107 was published for russh (Rust) Jun 11, 2026
mjc Credited to mjc
WsgiDAV encoded dot segments can escape filesystem share roots High
CVE-2026-48099 was published for wsgidav (pip) Jun 11, 2026
0xHunSec Credited to 0xHunSec
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning Moderate
CVE-2026-48096 was published for github.com/openfga/openfga (Go) Jun 11, 2026
j4xT Credited to j4xT
DevGuard has improper authorization on public assets High
CVE-2026-48089 was published for github.com/l3montree-dev/devguard (Go) Jun 11, 2026
philipflohr Credited to philipflohr
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database