GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
Decidim: Push subscriptions can be abused for server-side requests
Moderate
CVE-2026-45573
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: HTML content blocks allow stored script execution
Moderate
CVE-2026-45572
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: CSV census record endpoints improper authorization
Moderate
CVE-2026-45415
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations
High
CVE-2026-45414
was published
for
decidim
(RubyGems)
Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links
High
CVE-2026-45378
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: Private exports can be downloaded through reusable links
Moderate
CVE-2026-45377
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting
Moderate
CVE-2026-45376
was published
for
decidim-admin
(RubyGems)
Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations
Moderate
CVE-2026-45330
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: Forms admin question editor lacks authorization
Moderate
CVE-2026-45086
was published
for
decidim-demographics
(RubyGems)
Jul 13, 2026
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center
Moderate
CVE-2025-32781
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
GeoNode: Stored XSS to full account takeover
Moderate
CVE-2024-27091
was published
for
geonode
(pip)
Jul 13, 2026
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Critical
GHSA-g936-7jqj-mwv8
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 10, 2026
melange: Incomplete package integrity verification allows data section substitution
High
CVE-2026-54174
was published
for
chainguard.dev/apko
(Go)
Jul 10, 2026
Excon does not redact additional sensitive/risky headers when following redirects
Moderate
CVE-2026-54171
was published
for
excon
(RubyGems)
Jul 10, 2026
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
High
GHSA-h4g2-xfmw-q2c9
was published
for
clauster
(pip)
Jul 10, 2026
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Moderate
CVE-2026-54163
was published
for
secure_headers
(RubyGems)
Jul 10, 2026
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Critical
CVE-2026-50551
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Critical
CVE-2026-54159
was published
for
prestashop/ps_facetedsearch
(Composer)
Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
Critical
CVE-2026-54158
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment
High
GHSA-g5r6-gv6m-f5jv
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary server-side file read via attachment upload
High
GHSA-wm45-qh3g-v83f
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
SafeInstall agent guard shell parsing can miss raw package execution
High
GHSA-xrmc-c5cg-rv7x
was published
for
safeinstall-cli
(npm)
Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
High
CVE-2026-54071
was published
for
BabelDOC
(pip)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
ProTip!
Advisories are also available from the
GraphQL API