Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,880
Maven
5,000+
npm
5,000+
NuGet
958
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,364
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,859 advisories

Loading
phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration High
GHSA-w9xh-5f39-vq89 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
phpMyFAQ: Default Empty API Token Authentication Bypass High
GHSA-gp95-j463-vv28 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
guayu-kakeru Credited to guayu-kakeru
phpMyFAQ: IDOR Account Takeover High
GHSA-xvp4-phqj-cjr3 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation High
GHSA-9qv9-8xv6-5p35 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
kitu232 Credited to kitu232
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification Moderate
GHSA-59fh-9f3p-7m39 was published for flowise (npm) May 20, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage Moderate
GHSA-m837-xvxr-vqwg was published for flowise (npm) May 20, 2026
DeathsPirate Credited to DeathsPirate
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None High
GHSA-mw8f-w6p8-xrf4 was published for wger (pip) May 20, 2026
HiyokoSauna37 Credited to HiyokoSauna37
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server Low
GHSA-pxh5-6rrc-8rjv was published for github.com/opentofu/opentofu (Go) May 20, 2026
Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service High
CVE-2026-8468 was published for plug (Erlang) May 20, 2026
maennchen Credited to maennchen and josevalim josevalim josevalim
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: * Moderate
CVE-2026-46431 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS Moderate
CVE-2026-46430 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) Critical
CVE-2026-46421 was published for @cap-js/db-service (npm) May 20, 2026
patricebender Credited to patricebender and chgeo chgeo chgeo
Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions Moderate
GHSA-5wxr-w449-57cm was published for shivammathur/setup-php (GitHub Actions) May 20, 2026
Setup PHP: Command Injection in Repository-Derived PHP Version Resolution Moderate
CVE-2026-46420 was published for shivammathur/setup-php (GitHub Actions) May 20, 2026
Diffusers: TOCTOU Trust Remote Code Bypass High
CVE-2026-45804 was published for diffusers (pip) May 20, 2026
gal-zafran Credited to gal-zafran
RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM Moderate
CVE-2026-45792 was published for rtk (Rust) May 20, 2026
afogel Credited to afogel
@angular/platform-server: SSRF via Hostname Hijacking High
CVE-2026-46417 was published for @angular/platform-server (npm) May 19, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, VenkatKwest, and dgp1130 AndrewKushnir AndrewKushnir
VenkatKwest VenkatKwest dgp1130 dgp1130
Caddy Defender trusted proxy client IP bypass High
CVE-2026-46415 was published for pkg.jsn.cam/caddy-defender (Go) May 19, 2026
JasonLovesDoggo Credited to JasonLovesDoggo
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm Critical
CVE-2026-46412 was published for @beproduct/nestjs-auth (npm) May 19, 2026
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser High
CVE-2026-46374 was published for sqlfluff (pip) May 19, 2026
SQLFluff: Recursive Stack Overflow in Parser High
CVE-2026-46373 was published for sqlfluff (pip) May 19, 2026
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl High
CVE-2026-46372 was published for sillytavern (npm) May 19, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database