GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
6,401 advisories
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system
Low
CVE-2026-48051
was published
for
@papra/webhooks
(npm)
Jun 10, 2026
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
Moderate
CVE-2026-48037
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts
High
CVE-2026-48036
was published
for
@hulumi/drift
(npm)
Jun 10, 2026
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
High
CVE-2026-48035
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket
High
CVE-2026-48034
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name
High
CVE-2026-48033
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
High
CVE-2026-48032
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
shell-quote quote() does not escape newlines in object .op values
Critical
CVE-2026-9277
was published
for
shell-quote
(npm)
Jun 9, 2026
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
Moderate
CVE-2026-47721
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
Moderate
CVE-2026-47720
was published
for
fuxa-server
(npm)
Jun 8, 2026
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
High
CVE-2026-47719
was published
for
fuxa-server
(npm)
Jun 8, 2026
actual Allows Electron to Run As Node
Moderate
CVE-2026-42890
was published
for
actual
(npm)
Jun 8, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
High
CVE-2026-47761
was published
for
TinyMCE
(Composer)
Jun 5, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
High
CVE-2026-47762
was published
for
TinyMCE
(Composer)
Jun 5, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
High
CVE-2026-47759
was published
for
TinyMCE
(Composer)
Jun 5, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
High
CVE-2026-47760
was published
for
TinyMCE
(Composer)
Jun 5, 2026
NocoDB: OAuth Tokens Persist Through Security Events
Moderate
GHSA-g72g-r7m4-9x4g
was published
for
nocodb
(npm)
Jun 5, 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
High
CVE-2026-48017
was published
for
dbgate-api
(npm)
Jun 5, 2026
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
High
CVE-2026-47684
was published
for
@sync-in/server
(npm)
Jun 5, 2026
Authenticated Remote Code Execution via loadReader functionName code injection in DbGate
Critical
CVE-2026-47670
was published
for
dbgate-api
(npm)
Jun 5, 2026
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Critical
CVE-2026-47668
was published
for
dbgate-serve
(npm)
Jun 5, 2026
NocoDB: Missing Ownership Check in MCP Attachment Read
Low
CVE-2026-47388
was published
for
nocodb
(npm)
Jun 5, 2026
NocoDB: Stored Cross-Site Scripting via Form View Redirect URL
High
CVE-2026-47387
was published
for
nocodb
(npm)
Jun 5, 2026
ProTip!
Advisories are also available from the
GraphQL API