GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,265 advisories
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
Critical
CVE-2026-48031
was published
for
github.com/dhax/go-base
(Go)
Jun 10, 2026
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter
Critical
CVE-2026-48030
was published
for
pheditor/pheditor
(Composer)
Jun 9, 2026
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Critical
CVE-2026-8467
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
shell-quote quote() does not escape newlines in object .op values
Critical
CVE-2026-9277
was published
for
shell-quote
(npm)
Jun 9, 2026
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
Critical
CVE-2026-47724
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
Critical
CVE-2026-47252
was published
for
github.com/julien040/anyquery/plugins/brave
(Go)
Jun 8, 2026
PHPSpreadsheet has a patch bypass for CVE-2026-34084
Critical
CVE-2026-45034
was published
for
phpoffice/phpspreadsheet
(Composer)
Jun 8, 2026
Shopper: Authorization bypass and RBAC privilege escalation in team settings
Critical
CVE-2026-47744
was published
for
shopper/framework
(Composer)
Jun 5, 2026
NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker)
Critical
CVE-2026-47731
was published
for
ait-core
(pip)
Jun 5, 2026
Authenticated Remote Code Execution via loadReader functionName code injection in DbGate
Critical
CVE-2026-47670
was published
for
dbgate-api
(npm)
Jun 5, 2026
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Critical
CVE-2026-47668
was published
for
dbgate-serve
(npm)
Jun 5, 2026
MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper
Critical
CVE-2026-47708
was published
for
stata-mcp
(pip)
Jun 4, 2026
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
Critical
GHSA-8whc-2wmv-ww35
was published
for
WWBN/AVideo
(Composer)
Jun 4, 2026
Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering
Critical
CVE-2026-44182
was published
for
jupyter_enterprise_gateway
(pip)
Jun 3, 2026
Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execution
Critical
CVE-2026-44181
was published
for
jupyter_enterprise_gateway
(pip)
Jun 3, 2026
Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass
Critical
CVE-2026-44180
was published
for
jupyter_enterprise_gateway
(pip)
Jun 3, 2026
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Critical
CVE-2026-47428
was published
for
@vitest/browser
(npm)
Jun 1, 2026
When Vitest UI server is listening, arbitrary file can be read and executed
Critical
CVE-2026-47429
was published
for
vitest
(npm)
Jun 1, 2026
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
Critical
CVE-2026-47416
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Critical
CVE-2026-47407
was published
for
praisonai-platform
(pip)
May 29, 2026
ProTip!
Advisories are also available from the
GraphQL API