Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,984
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

2,481 advisories

Loading
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts High
CVE-2026-48036 was published for @hulumi/drift (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened High
CVE-2026-48035 was published for @hulumi/baseline (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name High
CVE-2026-48033 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers High
CVE-2026-48032 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading High
CVE-2026-47719 was published for fuxa-server (npm) Jun 8, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection High
CVE-2026-47761 was published for TinyMCE (Composer) Jun 5, 2026
UncleJ4ck Credited to UncleJ4ck and ange-primiterra ange-primiterra ange-primiterra
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments High
CVE-2026-47762 was published for TinyMCE (Composer) Jun 5, 2026
he1d3n Credited to he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes High
CVE-2026-47759 was published for TinyMCE (Composer) Jun 5, 2026
mtrill47 Credited to mtrill47 and he1d3n he1d3n he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs High
CVE-2026-47760 was published for TinyMCE (Composer) Jun 5, 2026
maple3142 Credited to maple3142
DbGate: Remote Code Execution via functionName injection in loadReader endpoint High
CVE-2026-48017 was published for dbgate-api (npm) Jun 5, 2026
romain-deperne Credited to romain-deperne
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP High
CVE-2026-47684 was published for @sync-in/server (npm) Jun 5, 2026
x0root Credited to x0root and johaven johaven johaven
NocoDB: Stored Cross-Site Scripting via Form View Redirect URL High
CVE-2026-47387 was published for nocodb (npm) Jun 5, 2026
kah-ja Credited to kah-ja
NocoDB: Stored Cross-Site Scripting via Row Comments High
CVE-2026-47383 was published for nocodb (npm) Jun 5, 2026
DavidCarliez Credited to DavidCarliez and Mouhebbenelwafi Mouhebbenelwafi Mouhebbenelwafi
React Router vulnerable to Denial of Service via reflected user input in single-fetch High
CVE-2026-34077 was published for react-router (npm) Jun 4, 2026
Oceandust Credited to Oceandust
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection High
CVE-2026-44496 was published for axios (npm) Jun 4, 2026
Allocation of Resources Without Limits or Throttling in Axios High
CVE-2026-44488 was published for axios (npm) Jun 4, 2026
asadeddin Credited to asadeddin
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter High
CVE-2026-44487 was published for axios (npm) Jun 4, 2026
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection High
CVE-2026-44486 was published for axios (npm) Jun 4, 2026
ngocnn97 Credited to ngocnn97
browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler High
CVE-2026-49143 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server High
CVE-2026-49144 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint High
CVE-2026-42342 was published for @remix-run/server-runtime (npm) Jun 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE High
CVE-2026-42211 was published for react-router (npm) Jun 3, 2026
SM41ldRag0n Credited to SM41ldRag0n
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets High
CVE-2026-33245 was published for react-router (npm) Jun 3, 2026
x4cc3 Credited to x4cc3
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database