GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
48 advisories
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
GHSA-68qg-g8mg-6pr7
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost
High
CVE-2026-34742
was published
for
github.com/modelcontextprotocol/go-sdk
(Go)
Apr 1, 2026
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection
High
CVE-2026-31975
was published
for
@siteboon/claude-code-ui
(npm)
Mar 11, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
Critical
CVE-2026-25894
was published
for
fuxa-server
(npm)
Feb 5, 2026
terraform-provider-proxmox has insecure sudo recommendation in the documentation
High
CVE-2026-25499
was published
for
github.com/bpg/terraform-provider-proxmox
(Go)
Feb 2, 2026
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Moderate
CVE-2025-66482
was published
for
misskey-js
(npm)
Dec 15, 2025
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
High
CVE-2025-66416
was published
for
mcp
(pip)
Dec 2, 2025
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default
High
CVE-2025-66414
was published
for
@modelcontextprotocol/sdk
(npm)
Dec 2, 2025
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
Critical
CVE-2025-54127
was published
for
@haxtheweb/haxcms-nodejs
(npm)
Jul 21, 2025
Filament has exported files stored in default (`public`) filesystem if not reconfigured
Low
CVE-2024-51758
was published
for
filament/actions
(Composer)
Nov 7, 2024
ProTip!
Advisories are also available from the
GraphQL API