Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,382 advisories

Loading
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt mtrezza
Credited to sebastianosrt and mtrezza
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga
Credited to naoyashiga
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader Moderate
CVE-2026-27795 was published for @langchain/community (npm) Feb 25, 2026
r3dbrothers hntrl
Credited to r3dbrothers and hntrl
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution Moderate
CVE-2026-27794 was published for langgraph-checkpoint (pip) Feb 25, 2026
zdi-disclosures
Credited to zdi-disclosures
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route High
CVE-2026-27730 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
poppo25
Credited to poppo25
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 alan-agius4
securityMB AndrewKushnir josephperrott dgp1130
Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130
Angular SSR has an Open Redirect via X-Forwarded-Prefix Moderate
CVE-2026-27738 was published for @angular/ssr (npm) Feb 25, 2026
alan-agius4 josephperrott
securityMB AndrewKushnir dgp1130 VenkatKwest
Credited to alan-agius4, josephperrott, securityMB, AndrewKushnir, dgp1130, and VenkatKwest
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure High
CVE-2026-27616 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk sudo0xksh
Credited to iamsampathk and sudo0xksh
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee
Credited to nikeee
Rollup 4 has Arbitrary File Write via Path Traversal High
CVE-2026-27606 was published for rollup (npm) Feb 25, 2026
viralvaghela
Credited to viralvaghela
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method Critical
CVE-2026-27699 was published for basic-ftp (npm) Feb 25, 2026
thecasual
Credited to thecasual
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions Moderate
CVE-2026-27729 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA
Credited to pHo9UBenaA
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service Moderate
CVE-2026-27695 was published for zae-limiter (pip) Feb 25, 2026
sodre
Credited to sodre
n8n Vulnerable to Stored XSS via Various Nodes High
CVE-2026-27578 was published for n8n (npm) Feb 25, 2026
ori-ron Aikido-Security
nil340
Credited to ori-ron, Aikido-Security, and nil340
n8n: Expression Sandbox Escape Leads to RCE Critical
CVE-2026-27577 was published for n8n (npm) Feb 25, 2026
eilonc-pillar nil340
ediklab hackerman70000 zolbooo
Credited to eilonc-pillar, nil340, ediklab, hackerman70000, and zolbooo
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Critical
CVE-2026-27575 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk
Credited to iamsampathk
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module Moderate
CVE-2026-27116 was published for code.vikunja.io/api (Go) Feb 25, 2026
sudo0xksh
Credited to sudo0xksh
n8n has Arbitrary Command Execution via File Write and Git Operations Critical
CVE-2026-27498 was published for n8n (npm) Feb 25, 2026
fatihhcelik
Credited to fatihhcelik
n8n has Potential Remote Code Execution via Merge Node Critical
CVE-2026-27497 was published for n8n (npm) Feb 25, 2026
allsmog nil340
Credited to allsmog and nil340
n8n has a Sandbox Escape in its JavaScript Task Runner Critical
CVE-2026-27495 was published for n8n (npm) Feb 25, 2026
c0rydoras
Credited to c0rydoras
n8n has Arbitrary File Read via Python Code Node Sandbox Escape High
CVE-2026-27494 was published for n8n (npm) Feb 25, 2026
MarcoPoloPie Nico-Posada
Credited to MarcoPoloPie and Nico-Posada
n8n has Unauthenticated Expression Evaluation via Form Node Critical
CVE-2026-27493 was published for n8n (npm) Feb 25, 2026
eilonc-pillar
Credited to eilonc-pillar
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute Moderate
CVE-2026-25736 was published for rucio-webui (pip) Feb 25, 2026
d-woosley
Credited to d-woosley
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name Moderate
CVE-2026-25735 was published for rucio-webui (pip) Feb 25, 2026
d-woosley
Credited to d-woosley
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata Moderate
CVE-2026-25734 was published for rucio-webui (pip) Feb 25, 2026
d-woosley
Credited to d-woosley
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database