Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,570 advisories

Loading
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters Moderate
GHSA-m63r-m9jh-3vc6 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal Moderate
GHSA-5879-4fmr-xwf2 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) High
GHSA-6rc6-p838-686f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write High
CVE-2026-40090 was published for github.com/zarf-dev/zarf (Go) Apr 14, 2026
joonas Credited to joonas
SFTP root escape via prefix-based path validation in goshs High
CVE-2026-40876 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Moderate
CVE-2026-33929 was published for org.apache.pdfbox:pdfbox-examples (Maven) Apr 14, 2026
gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall Moderate
CVE-2026-40491 was published for gdown (pip) Apr 14, 2026
redyank Credited to redyank, dyingman1, drkim-dev, and HiHyeonji dyingman1 dyingman1
drkim-dev drkim-dev HiHyeonji HiHyeonji
excel-mcp-server has a Path Traversal issue Critical
CVE-2026-40576 was published for excel-mcp-server (pip) Apr 14, 2026
hits313 Credited to hits313
Daptin has Unauthenticated Path Traversal and Zip Slip Critical
GHSA-9cp7-j3f8-p5jx was published for github.com/daptin/daptin (Go) Apr 10, 2026
gramps-webapi: Zip Slip Path Traversal in Media Archive Import Critical
CVE-2026-40258 was published for gramps-webapi (pip) Apr 10, 2026
srisowmya2000 Credited to srisowmya2000
Rembg has a Path Traversal via Custom Model Loading Moderate
CVE-2026-40086 was published for rembg (pip) Apr 10, 2026
yueyueL Credited to yueyueL
xrootd has path traversal in directory listing that allows access to the parent directory via trailing ".." pattern Moderate
GHSA-vj8v-p5vw-m6v5 was published for xrootd (pip) Apr 10, 2026
Rydzz7 Credited to Rydzz7 and abh3 abh3 abh3
uv vulnerable to arbitrary file deletion through RECORD entries Low
GHSA-pjjw-68hj-v9mw was published for uv (pip) Apr 10, 2026
konstin Credited to konstin, zanieb, woodruffw, EliteTK, and CodeByMoriarty zanieb zanieb
woodruffw woodruffw EliteTK EliteTK CodeByMoriarty CodeByMoriarty
Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read High
CVE-2026-40163 was published for @saltcorn/server (npm) Apr 10, 2026
axel-corsiez Credited to axel-corsiez
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack` Critical
CVE-2026-40157 was published for PraisonAI (pip) Apr 10, 2026
Mundi-Xu Credited to Mundi-Xu
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary Moderate
CVE-2026-40152 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment Moderate
CVE-2026-35206 was published for helm.sh/helm/v3 (Go) Apr 10, 2026
1seal Credited to 1seal
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory High
CVE-2026-35204 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
AGiXT Vulnerable to Path Traversal in safe_join() High
CVE-2026-39981 was published for agixt (pip) Apr 8, 2026
YeranG30 Credited to YeranG30
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
offset Credited to offset
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class Moderate
CVE-2026-40180 was published for io.quarkiverse.openapi.generator:quarkus-openapi-generator (Maven) Apr 8, 2026
oscerd Credited to oscerd
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read Moderate
CVE-2026-39859 was published for liquidjs (npm) Apr 8, 2026
Ryu7zz Credited to Ryu7zz
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows Moderate
CVE-2026-39844 was published for nicegui (pip) Apr 8, 2026
offset Credited to offset, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Emmett has a path traversal in internal assets handler Critical
CVE-2026-39847 was published for emmett (pip) Apr 8, 2026
Hono: Path traversal in toSSG() allows writing files outside the output directory Moderate
CVE-2026-39408 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database