Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
69
GitHub Actions
50
Go
3,876
Maven
5,000+
npm
5,000+
NuGet
958
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,363
Swift
54
Unreviewed advisories
All unreviewed
5,000+

72 advisories

Loading
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour Moderate
CVE-2026-46424 was published for @budibase/backend-core (npm) May 19, 2026
offset Credited to offset
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows Moderate
CVE-2026-45718 was published for budibase (npm) May 18, 2026
offset Credited to offset
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration High
CVE-2026-45716 was published for @budibase/worker (npm) May 18, 2026
offset Credited to offset
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover High
CVE-2026-46480 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover High
CVE-2026-46479 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover High
CVE-2026-46478 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover High
CVE-2026-46477 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover High
CVE-2026-46476 was published for flowise (npm) May 14, 2026
offset Credited to offset
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover High
CVE-2026-46475 was published for flowise (npm) May 14, 2026
offset Credited to offset
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true` Low
GHSA-r27j-894h-3w3p was published for icu-minify (npm) May 6, 2026
offset Credited to offset
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts High
GHSA-jxh8-jh77-xh6g was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS Moderate
GHSA-7xp7-m392-h92c was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
Astro: XSS in define:vars via incomplete </script> tag sanitization Moderate
CVE-2026-41067 was published for astro (npm) Apr 21, 2026
offset Credited to offset
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise Critical
GHSA-3xx2-mqjm-hg9x was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization Moderate
GHSA-fpw4-p57j-hqmq was published for @paperclipai/ui (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server Moderate
GHSA-p7mm-r948-4q3q was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements Moderate
CVE-2026-40186 was published for sanitize-html (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions Moderate
CVE-2026-39857 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context Moderate
CVE-2026-33889 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API Moderate
CVE-2026-33888 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint Low
CVE-2026-33877 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter Low
CVE-2026-34166 was published for liquidjs (npm) Apr 8, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database