Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
58
GitHub Actions
50
Go
3,791
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,349
Swift
54
Unreviewed advisories
All unreviewed
5,000+

352 advisories

Loading
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized... High Unreviewed
CVE-2026-41107 was published May 12, 2026
External control of file name or path in Windows Ancillary Function Driver for WinSock allows an... High Unreviewed
CVE-2026-41088 was published May 12, 2026
External control of file name or path in Microsoft Office Word allows an unauthorized attacker to... Moderate Unreviewed
CVE-2026-40421 was published May 12, 2026
External control of file name or path in SQL Server allows an authorized attacker to execute code... High Unreviewed
CVE-2026-40370 was published May 12, 2026
External control of file name or path in Azure Monitor Agent allows an authorized attacker to... High Unreviewed
CVE-2026-32204 was published May 12, 2026
External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote... Critical Unreviewed
CVE-2026-8043 was published May 12, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` High
CVE-2026-45088 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
Streamlink has an arbitrary local file read via file:// URI in HLS and DASH Moderate
CVE-2026-44353 was published for streamlink (pip) May 11, 2026
4tkD0g Credited to 4tkD0g and bastimeyer bastimeyer bastimeyer
SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal... High Unreviewed
CVE-2026-44127 was published May 8, 2026
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes Moderate
CVE-2026-42593 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
changedetection.io has an Arbitrary Local File Read via a crafted backup restore High
CVE-2026-43891 was published for changedetection.io (pip) May 5, 2026
minhlh56 Credited to minhlh56
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function... Moderate Unreviewed
CVE-2026-7633 was published May 2, 2026
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite High
CVE-2026-41693 was published for i18next-fs-backend (npm) Apr 22, 2026
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path... High Unreviewed
CVE-2026-4132 was published Apr 22, 2026
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Duplicate Advisory: OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Moderate
GHSA-qc5j-2mqx-x83q was published for openclaw (npm) Apr 20, 2026 withdrawn
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Moderate
CVE-2026-41389 was published for openclaw (npm) Apr 17, 2026
Kherrisan Credited to Kherrisan
Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath Moderate
GHSA-3pw3-v88x-xj24 was published for @paperclipai/shared (npm) Apr 16, 2026
lilmingwa13 Credited to lilmingwa13
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an... High Unreviewed
CVE-2026-39907 was published Apr 15, 2026
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to... High Unreviewed
CVE-2026-5809 was published Apr 11, 2026
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability... High Unreviewed
CVE-2026-5053 was published Apr 11, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database