Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,814
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,351
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,533 advisories

Loading
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget High
CVE-2026-45012 was published for apostrophe (npm) May 14, 2026
yigitsengezer Credited to yigitsengezer
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` Critical
CVE-2026-44990 was published for sanitize-html (npm) May 14, 2026
sushi-gif Credited to sushi-gif
Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections High
GHSA-7rx4-c5vx-g8w3 was published for @karakeep/sdk (npm) May 14, 2026
CE2Sec Credited to CE2Sec
go-billy has path traversal vulnerabilities High
CVE-2026-44973 was published for github.com/go-git/go-billy/v5 (Go) May 14, 2026
faran66 Credited to faran66 and vnykmshr vnykmshr vnykmshr
dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction Low
CVE-2026-44970 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled Low
CVE-2026-44969 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters Moderate
CVE-2026-44968 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function Moderate
GHSA-9m65-766c-r333 was published for @tanstack/start-server-core (npm) May 14, 2026
mufeedvh Credited to mufeedvh
Mistune Image Directive CSS Injection Vulnerability Moderate
CVE-2026-44899 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune TOC Anchor Injection XSS Moderate
CVE-2026-44898 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation Moderate
CVE-2026-45292 was published for io.opentelemetry:opentelemetry-api (Maven) May 14, 2026
August829 Credited to August829, trask, and jack-berg trask trask
jack-berg jack-berg
Portainer missing authorization on custom template file endpoint, which exposes template content Moderate
CVE-2026-44884 was published for github.com/portainer/portainer (Go) May 14, 2026
duddnr0615k Credited to duddnr0615k
Portainer: JWT accepted in URL query leaks tokens to logs and referers High
CVE-2026-44883 was published for github.com/portainer/portainer (Go) May 14, 2026
scanpwn Credited to scanpwn
Portainer has an endpoint security bypass via Swarm service create/update Critical
CVE-2026-44849 was published for github.com/portainer/portainer (Go) May 14, 2026
JohannesLks Credited to JohannesLks and route2shell route2shell route2shell
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization High
CVE-2026-44882 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
Portainer has a bind-mount restriction bypass via HostConfig.Mounts High
CVE-2026-44850 was published for github.com/portainer/portainer (Go) May 14, 2026
offensiveee Credited to offensiveee, alexwaira, jeroengui, AyushParkara, and marduc812 alexwaira alexwaira
jeroengui jeroengui AyushParkara AyushParkara marduc812 marduc812
Portainer has a path traversal in backup archive extraction that allows arbitrary file write Moderate
CVE-2026-44885 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer missing authorization on Docker plugin endpoints, which allows host RCE Critical
CVE-2026-44848 was published for github.com/portainer/portainer (Go) May 14, 2026
ikkebr Credited to ikkebr
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover High
GHSA-wxrr-jp8m-qq7f was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover High
GHSA-mq53-pc65-wjc4 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover High
GHSA-7j65-65cr-6644 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover High
GHSA-5h9v-837x-m97r was published for flowise (npm) May 14, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database