Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,029
Maven
5,000+
npm
4,768
NuGet
824
pip
4,373
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,402 advisories

Loading
n8n: Webhook Forgery on Github Webhook Trigger Moderate
GHSA-mqpr-49jj-32rc was published for n8n (npm) Feb 26, 2026
simonkoeck
Credited to simonkoeck
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes Moderate
GHSA-f3f2-mcxc-pwjx was published for n8n (npm) Feb 26, 2026
Vikunja has Path Traversal in CLI Restore High
CVE-2026-27819 was published for code.vikunja.io/api (Go) Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist High
CVE-2026-27818 was published for terriajs-server (npm) Feb 26, 2026
psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps Moderate
CVE-2026-27809 was published for psd-tools (pip) Feb 26, 2026
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API Moderate
CVE-2026-27808 was published for github.com/axllent/mailpit (Go) Feb 26, 2026
rtvkiz
Credited to rtvkiz
mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries Moderate
CVE-2026-27735 was published for mcp-server-git (pip) Feb 26, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking High
CVE-2026-27148 was published for storybook (npm) Feb 26, 2026
Aikido-Security reindaelman
grumpinout1 JorianWoltjer
Credited to Aikido-Security, reindaelman, grumpinout1, and JorianWoltjer
Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter Moderate
CVE-2026-26186 was published for github.com/fleetdm/fleet/v4 (Go) Feb 26, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt mtrezza
Credited to sebastianosrt and mtrezza
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga
Credited to naoyashiga
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader Moderate
CVE-2026-27795 was published for @langchain/community (npm) Feb 25, 2026
r3dbrothers hntrl
Credited to r3dbrothers and hntrl
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution Moderate
CVE-2026-27794 was published for langgraph-checkpoint (pip) Feb 25, 2026
zdi-disclosures
Credited to zdi-disclosures
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route High
CVE-2026-27730 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
poppo25
Credited to poppo25
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 alan-agius4
securityMB AndrewKushnir josephperrott dgp1130
Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130
Angular SSR has an Open Redirect via X-Forwarded-Prefix Moderate
CVE-2026-27738 was published for @angular/ssr (npm) Feb 25, 2026
alan-agius4 josephperrott
securityMB AndrewKushnir dgp1130 VenkatKwest
Credited to alan-agius4, josephperrott, securityMB, AndrewKushnir, dgp1130, and VenkatKwest
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure High
CVE-2026-27616 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk sudo0xksh
Credited to iamsampathk and sudo0xksh
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee
Credited to nikeee
Rollup 4 has Arbitrary File Write via Path Traversal High
CVE-2026-27606 was published for rollup (npm) Feb 25, 2026
viralvaghela
Credited to viralvaghela
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method Critical
CVE-2026-27699 was published for basic-ftp (npm) Feb 25, 2026
thecasual
Credited to thecasual
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions Moderate
CVE-2026-27729 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA
Credited to pHo9UBenaA
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service Moderate
CVE-2026-27695 was published for zae-limiter (pip) Feb 25, 2026
sodre
Credited to sodre
n8n Vulnerable to Stored XSS via Various Nodes High
CVE-2026-27578 was published for n8n (npm) Feb 25, 2026
ori-ron Aikido-Security
nil340
Credited to ori-ron, Aikido-Security, and nil340
n8n: Expression Sandbox Escape Leads to RCE Critical
CVE-2026-27577 was published for n8n (npm) Feb 25, 2026
eilonc-pillar nil340
ediklab hackerman70000 zolbooo
Credited to eilonc-pillar, nil340, ediklab, hackerman70000, and zolbooo
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Critical
CVE-2026-27575 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk
Credited to iamsampathk
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database