Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

31,362 advisories

Loading
Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points High
CVE-2026-47732 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot
Twig: XSS in profiler HtmlDumper via unescaped template and profile names Low
CVE-2026-47730 was published for twig/twig (Composer) Jun 5, 2026
nicolas-grekas Credited to nicolas-grekas
Bugsink: DOS using large numbers of event tags Moderate
GHSA-5x67-j5xg-c5gj was published for bugsink (pip) Jun 5, 2026
Bugsink: Project scoping missing in sourcemap and debug-file lookup Moderate
CVE-2026-47728 was published for bugsink (pip) Jun 5, 2026
ShuluZhuo Credited to ShuluZhuo
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known Low
CVE-2026-47716 was published for bugsink (pip) Jun 5, 2026
Susen2 Credited to Susen2
Bugsink: Issue event views can show an event from another project if its UUID is known Low
CVE-2026-47715 was published for bugsink (pip) Jun 5, 2026
nuiifornet Credited to nuiifornet
Twig: Possible sandbox bypass when using a source policy High
CVE-2026-24425 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot, wsparks-vc, XavLimSG, and Vincent550102 wsparks-vc wsparks-vc
XavLimSG XavLimSG Vincent550102 Vincent550102
Shopper: Authorization bypass and RBAC privilege escalation in team settings Critical
CVE-2026-47744 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Multiple data integrity and disclosure issues in admin Livewire components High
CVE-2026-47743 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables Moderate
CVE-2026-47745 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Missing authorization on Product admin Livewire sub-form components Moderate
CVE-2026-47742 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection High
CVE-2026-47761 was published for TinyMCE (Composer) Jun 5, 2026
UncleJ4ck Credited to UncleJ4ck and ange-primiterra ange-primiterra ange-primiterra
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments High
CVE-2026-47762 was published for TinyMCE (Composer) Jun 5, 2026
he1d3n Credited to he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes High
CVE-2026-47759 was published for TinyMCE (Composer) Jun 5, 2026
mtrill47 Credited to mtrill47 and he1d3n he1d3n he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs High
CVE-2026-47760 was published for TinyMCE (Composer) Jun 5, 2026
maple3142 Credited to maple3142
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) Critical
CVE-2026-47731 was published for ait-core (pip) Jun 5, 2026
ehtec Credited to ehtec
Improper Access Control in vantage6 node Moderate
GHSA-x9f6-9rvm-mmrg was published for vantage6 (pip) Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration Moderate
GHSA-fgmc-2hqj-86v4 was published for vantage6 (pip) Jun 5, 2026
NocoDB: OAuth Tokens Persist Through Security Events Moderate
GHSA-g72g-r7m4-9x4g was published for nocodb (npm) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt High
GHSA-rm5c-5x2p-48wr was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
ch4r0utf8 Credited to ch4r0utf8
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
GHSA-w4c6-7r69-w7j9 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
GHSA-hf2g-6j7h-98wg was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS Moderate
CVE-2026-49343 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
maiiquynhh Credited to maiiquynhh
DbGate: Remote Code Execution via functionName injection in loadReader endpoint High
CVE-2026-48017 was published for dbgate-api (npm) Jun 5, 2026
romain-deperne Credited to romain-deperne
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database