Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,309
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,531
Pub
12
RubyGems
1,009
Rust
1,195
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,724 advisories

Loading
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader Moderate
CVE-2026-27795 was published for @langchain/community (npm) Feb 25, 2026
r3dbrothers Credited to r3dbrothers and hntrl hntrl hntrl
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution Moderate
CVE-2026-27794 was published for langgraph-checkpoint (pip) Feb 25, 2026
zdi-disclosures Credited to zdi-disclosures
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route High
CVE-2026-27730 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
poppo25 Credited to poppo25
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130 alan-agius4 alan-agius4
securityMB securityMB AndrewKushnir AndrewKushnir josephperrott josephperrott dgp1130 dgp1130
Angular SSR has an Open Redirect via X-Forwarded-Prefix Moderate
CVE-2026-27738 was published for @angular/ssr (npm) Feb 25, 2026
alan-agius4 Credited to alan-agius4, josephperrott, securityMB, AndrewKushnir, dgp1130, and VenkatKwest josephperrott josephperrott
securityMB securityMB AndrewKushnir AndrewKushnir dgp1130 dgp1130 VenkatKwest VenkatKwest
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure High
CVE-2026-27616 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk and sudo0xksh sudo0xksh sudo0xksh
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee Credited to nikeee
Rollup 4 has Arbitrary File Write via Path Traversal High
CVE-2026-27606 was published for rollup (npm) Feb 25, 2026
viralvaghela Credited to viralvaghela
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method Critical
CVE-2026-27699 was published for basic-ftp (npm) Feb 25, 2026
thecasual Credited to thecasual
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions Moderate
CVE-2026-27729 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA Credited to pHo9UBenaA
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service Moderate
CVE-2026-27695 was published for zae-limiter (pip) Feb 25, 2026
sodre Credited to sodre
n8n Vulnerable to Stored XSS via Various Nodes High
CVE-2026-27578 was published for n8n (npm) Feb 25, 2026
ori-ron Credited to ori-ron, Aikido-Security, and nil340 Aikido-Security Aikido-Security
nil340 nil340
n8n: Expression Sandbox Escape Leads to RCE Critical
CVE-2026-27577 was published for n8n (npm) Feb 25, 2026
eilonc-pillar Credited to eilonc-pillar, nil340, ediklab, hackerman70000, zolbooo, and c0rydoras nil340 nil340
ediklab ediklab hackerman70000 hackerman70000 zolbooo zolbooo c0rydoras c0rydoras
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Critical
CVE-2026-27575 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module Moderate
CVE-2026-27116 was published for code.vikunja.io/api (Go) Feb 25, 2026
sudo0xksh Credited to sudo0xksh
n8n has Arbitrary Command Execution via File Write and Git Operations Critical
CVE-2026-27498 was published for n8n (npm) Feb 25, 2026
fatihhcelik Credited to fatihhcelik
n8n has Potential Remote Code Execution via Merge Node Critical
CVE-2026-27497 was published for n8n (npm) Feb 25, 2026
allsmog Credited to allsmog and nil340 nil340 nil340
n8n has a Sandbox Escape in its JavaScript Task Runner Critical
CVE-2026-27495 was published for n8n (npm) Feb 25, 2026
c0rydoras Credited to c0rydoras
n8n has Arbitrary File Read via Python Code Node Sandbox Escape High
CVE-2026-27494 was published for n8n (npm) Feb 25, 2026
MarcoPoloPie Credited to MarcoPoloPie and Nico-Posada Nico-Posada Nico-Posada
n8n has Unauthenticated Expression Evaluation via Form Node Critical
CVE-2026-27493 was published for n8n (npm) Feb 25, 2026
eilonc-pillar Credited to eilonc-pillar
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute Moderate
CVE-2026-25736 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name Moderate
CVE-2026-25735 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata Moderate
CVE-2026-25734 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting High
CVE-2026-3105 was published for mautic/core (Composer) Feb 25, 2026
q1uf3ng Credited to q1uf3ng, patrykgruszka, and escopecz patrykgruszka patrykgruszka
escopecz escopecz
ImageMagick has a heap Buffer Over-read in its DJVU image format handler Moderate
CVE-2026-27799 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database