Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31,556 advisories

Loading
TYPO3 CMS has Broken Access Control in its Media Module High
CVE-2026-49742 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Insecure Deserialization via Core API Moderate
CVE-2026-49740 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its File Abstraction Layer Low
CVE-2026-49738 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in Backend API Moderate
CVE-2026-47352 was published for typo3/cms-backend (Composer) Jun 12, 2026
TYPO3 CMS: Broken Access Control in Media Module Moderate
CVE-2026-47351 was published for typo3/cms-backend (Composer) Jun 12, 2026
TYPO3 CMS has Cross-Site Scripting in Indexed Search Moderate
CVE-2026-47348 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Low
CVE-2026-47344 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
ohader Credited to ohader
Tornado has out-of-bounds memory access via C extension Low
CVE-2026-49854 was published for tornado (pip) Jun 12, 2026
sondt99 Credited to sondt99
nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store Low
GHSA-6vgg-xhvh-38ff was published for github.com/juev/nebula-mesh (Go) Jun 12, 2026
ak2k Credited to ak2k
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams Moderate
CVE-2026-48156 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for large offsets for layout mode text Moderate
CVE-2026-48155 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362) Moderate
CVE-2026-48154 was published for github.com/pilinux/gorest (Go) Jun 12, 2026
Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation High
GHSA-j9gf-vw2f-9hrw was published for com.appsmith:server (Maven) Jun 12, 2026
0xmrma Credited to 0xmrma
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema High
CVE-2026-48151 was published for @budibase/server (npm) Jun 12, 2026
liyander Credited to liyander
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign Critical
CVE-2026-48150 was published for @budibase/server (npm) Jun 12, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators High
GHSA-9wcp-79g5-5c3c was published for com.appsmith:server (Maven) Jun 12, 2026
Moonster8282 Credited to Moonster8282
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF Moderate
CVE-2026-48148 was published for @budibase/server (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker Moderate
CVE-2026-48147 was published for @budibase/backend-core (npm) Jun 12, 2026
b-hermes Credited to b-hermes
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution Moderate
CVE-2025-58175 was published for org.geoserver.web:gs-web-app (Maven) Jun 12, 2026
lemauanhphong Credited to lemauanhphong and jodygarnett jodygarnett jodygarnett
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page High
CVE-2025-52465 was published for org.geoserver.web:gs-web-app (Maven) Jun 12, 2026
YacineF Credited to YacineF, sikeoka, partywavesec, and jodygarnett sikeoka sikeoka
partywavesec partywavesec jodygarnett jodygarnett
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection High
CVE-2026-48146 was published for @budibase/server (npm) Jun 12, 2026
axel-corsiez Credited to axel-corsiez
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step Moderate
CVE-2026-48128 was published for budibase (npm) Jun 12, 2026
fg0x0 Credited to fg0x0
SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec Low
CVE-2026-28898 was published for github.com/apple/swift-nio-http2 (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran
NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length Moderate
CVE-2026-28975 was published for github.com/apple/swift-nio-extras (Swift) Jun 12, 2026
nathanielmiller23 Credited to nathanielmiller23
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database