GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,029
Maven
5,000+
npm
4,768
NuGet
824
pip
4,373
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+
26,402 advisories
Filter by severity
n8n: Webhook Forgery on Github Webhook Trigger
Moderate
GHSA-mqpr-49jj-32rc
was published
for
n8n
(npm)
Feb 26, 2026
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes
Moderate
GHSA-f3f2-mcxc-pwjx
was published
for
n8n
(npm)
Feb 26, 2026
Vikunja has Path Traversal in CLI Restore
High
CVE-2026-27819
was published
for
code.vikunja.io/api
(Go)
Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
High
CVE-2026-27818
was published
for
terriajs-server
(npm)
Feb 26, 2026
psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps
Moderate
CVE-2026-27809
was published
for
psd-tools
(pip)
Feb 26, 2026
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Moderate
CVE-2026-27808
was published
for
github.com/axllent/mailpit
(Go)
Feb 26, 2026
mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries
Moderate
CVE-2026-27735
was published
for
mcp-server-git
(pip)
Feb 26, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking
High
CVE-2026-27148
was published
for
storybook
(npm)
Feb 26, 2026
Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter
Moderate
CVE-2026-26186
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Critical
CVE-2026-27804
was published
for
parse-server
(npm)
Feb 25, 2026
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover
Critical
CVE-2026-27822
was published
for
rustfs
(Rust)
Feb 25, 2026
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Moderate
CVE-2026-27795
was published
for
@langchain/community
(npm)
Feb 25, 2026
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
Moderate
CVE-2026-27794
was published
for
langgraph-checkpoint
(pip)
Feb 25, 2026
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
High
CVE-2026-27730
was published
for
github.com/esm-dev/esm.sh
(Go)
Feb 25, 2026
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Critical
CVE-2026-27739
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Moderate
CVE-2026-27738
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure
High
CVE-2026-27616
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write
High
CVE-2026-27607
was published
for
rustfs
(Rust)
Feb 25, 2026
Rollup 4 has Arbitrary File Write via Path Traversal
High
CVE-2026-27606
was published
for
rollup
(npm)
Feb 25, 2026
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
Critical
CVE-2026-27699
was published
for
basic-ftp
(npm)
Feb 25, 2026
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
Moderate
CVE-2026-27729
was published
for
@astrojs/node
(npm)
Feb 25, 2026
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
Moderate
CVE-2026-27695
was published
for
zae-limiter
(pip)
Feb 25, 2026
n8n Vulnerable to Stored XSS via Various Nodes
High
CVE-2026-27578
was published
for
n8n
(npm)
Feb 25, 2026
n8n: Expression Sandbox Escape Leads to RCE
Critical
CVE-2026-27577
was published
for
n8n
(npm)
Feb 25, 2026
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Critical
CVE-2026-27575
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
ProTip!
Advisories are also available from the
GraphQL API