Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,215 advisories

Loading
Unsafe object property setter in mathjs High
CVE-2026-40897 was published for mathjs (npm) Apr 16, 2026
Authlib: Cross-site request forging when using cache Moderate
GHSA-jj8c-mmj3-mmgv was published for authlib (pip) Apr 16, 2026
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server High
GHSA-45q2-gjvg-7973 was published for @angular/platform-server (npm) Apr 16, 2026
YLChen-007 Credited to YLChen-007, alan-agius4, AndrewKushnir, and josephperrott alan-agius4 alan-agius4
AndrewKushnir AndrewKushnir josephperrott josephperrott
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
@fastify/static vulnerable to path traversal in directory listing Moderate
CVE-2026-6410 was published for @fastify/static (npm) Apr 16, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/static vulnerable to route guard bypass via encoded path separators Moderate
CVE-2026-6414 was published for @fastify/static (npm) Apr 16, 2026
blakeembrey Credited to blakeembrey, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option High
CVE-2026-33804 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, climba03003, and UlisesGascon mcollina mcollina
climba03003 climba03003 UlisesGascon UlisesGascon
Flowise: resetPassword Authentication Bypass Vulnerability High
GHSA-f6hc-c5jr-878p was published for flowise (npm) Apr 16, 2026
zdi-disclosures Credited to zdi-disclosures
Flowise: Cypher Injection in GraphCypherQAChain High
GHSA-28g4-38q8-3cwc was published for flowise (npm) Apr 16, 2026
tenbbughunters Credited to tenbbughunters
Flowise: Password Reset Link Sent Over Unsecured HTTP High
GHSA-x5w6-38gp-mrqh was published for flowise (npm) Apr 16, 2026
charmedai Credited to charmedai
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise High
GHSA-6f7g-v4pp-r667 was published for flowise (npm) Apr 16, 2026
melonattacker Credited to melonattacker
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains High
GHSA-6r77-hqx7-7vw8 was published for flowise (npm) Apr 16, 2026
wsparks-vc Credited to wsparks-vc
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
GHSA-2x8m-83vc-6wv4 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox High
GHSA-xhmj-rg95-44hv was published for flowise (npm) Apr 16, 2026
Sn1r Credited to Sn1r
Flowise: File Upload Validation Bypass in createAttachment High
GHSA-rh7v-6w34-w2rr was published for flowise (npm) Apr 16, 2026
quirmz Credited to quirmz
Flowise: Parameter Override Bypass Remote Command Execution High
GHSA-cvrr-qhgw-2mm6 was published for flowise (npm) Apr 16, 2026
retpoline Credited to retpoline
Flowise: Sensitive Data Leak in public-chatbotConfig High
GHSA-4jpm-cgx2-8h37 was published for flowise (npm) Apr 16, 2026
DenizParlak Credited to DenizParlak
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association High
GHSA-48m6-ch88-55mj was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
GHSA-9wc7-mj3f-74xv was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`. High
GHSA-f228-chmx-v6j6 was published for flowise (npm) Apr 16, 2026
LIFE-team2024 Credited to LIFE-team2024
Istio: SSRF via RequestAuthentication jwksUri Moderate
GHSA-fgw5-hp8f-xfhc was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() High
GHSA-rp42-5vxx-qpwr was published for basic-ftp (npm) Apr 16, 2026
MaanVader Credited to MaanVader
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak) High
GHSA-8wfp-579w-6r25 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
scumfrog Credited to scumfrog
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
GHSA-f9g8-6ppc-pqq4 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database