Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,586 advisories

Loading
An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows... High Unreviewed
CVE-2026-30996 was published Apr 15, 2026
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a... High Unreviewed
CVE-2026-34619 was published Apr 15, 2026
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a... High Unreviewed
CVE-2026-27305 was published Apr 15, 2026
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) High
GHSA-6rc6-p838-686f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write High
CVE-2026-40090 was published for github.com/zarf-dev/zarf (Go) Apr 14, 2026
joonas Credited to joonas
SFTP root escape via prefix-based path validation in goshs High
CVE-2026-40876 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name`... High Unreviewed
CVE-2026-6227 was published Apr 14, 2026
Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read High
CVE-2026-40163 was published for @saltcorn/server (npm) Apr 10, 2026
axel-corsiez Credited to axel-corsiez
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory High
CVE-2026-35204 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal... High Unreviewed
CVE-2026-4351 was published Apr 10, 2026
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal... High Unreviewed
CVE-2026-40027 was published Apr 9, 2026
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows... High Unreviewed
CVE-2026-40024 was published Apr 9, 2026
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up... High Unreviewed
CVE-2026-5436 was published Apr 8, 2026
AGiXT Vulnerable to Path Traversal in safe_join() High
CVE-2026-39981 was published for agixt (pip) Apr 8, 2026
YeranG30 Credited to YeranG30
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to... High Unreviewed
CVE-2026-33466 was published Apr 8, 2026
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to... High Unreviewed
CVE-2026-3243 was published Apr 8, 2026
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs High
CVE-2026-39369 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
PraisonAI recipe registry publish path traversal allows out-of-root file write High
CVE-2026-39308 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory High
CVE-2026-39306 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction High
CVE-2026-39307 was published for PraisonAI (pip) Apr 6, 2026
liyander Credited to liyander
phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to... High Unreviewed
CVE-2019-25685 was published Apr 5, 2026
VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers... High Unreviewed
CVE-2019-25671 was published Apr 5, 2026
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up... High Unreviewed
CVE-2026-3666 was published Apr 4, 2026
Code Extension Marketplace: Zip Slip Path Traversal High
CVE-2026-35454 was published for github.com/coder/code-marketplace (Go) Apr 4, 2026
vamsik2k5 Credited to vamsik2k5
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database