Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
57
GitHub Actions
50
Go
3,767
Maven
5,000+
npm
5,000+
NuGet
937
pip
4,999
Pub
13
RubyGems
1,058
Rust
1,347
Swift
54
Unreviewed advisories
All unreviewed
5,000+

81 advisories

Loading
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes Moderate
CVE-2026-42593 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
changedetection.io has an Arbitrary Local File Read via a crafted backup restore High
CVE-2026-43891 was published for changedetection.io (pip) May 5, 2026
minhlh56 Credited to minhlh56
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite High
CVE-2026-41693 was published for i18next-fs-backend (npm) Apr 22, 2026
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Duplicate Advisory: OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Moderate
GHSA-qc5j-2mqx-x83q was published for openclaw (npm) Apr 20, 2026 withdrawn
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Moderate
CVE-2026-41389 was published for openclaw (npm) Apr 17, 2026
Kherrisan Credited to Kherrisan
Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath Moderate
GHSA-3pw3-v88x-xj24 was published for @paperclipai/shared (npm) Apr 16, 2026
lilmingwa13 Credited to lilmingwa13
Rembg has a Path Traversal via Custom Model Loading Moderate
CVE-2026-40086 was published for rembg (pip) Apr 10, 2026
yueyueL Credited to yueyueL
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration Moderate
CVE-2026-42424 was published for openclaw (npm) Apr 9, 2026
threalwinky Credited to threalwinky
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags High
GHSA-qmwh-9m9c-h36m was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
kodareef5 Credited to kodareef5
Ferret: Path Traversal in IO::FS::WRITE allows arbitrary file write when scraping malicious websites High
CVE-2026-34783 was published for github.com/MontFerret/ferret (Go) Apr 1, 2026
DavidCarliez Credited to DavidCarliez
SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory High
CVE-2026-34522 was published for sillytavern (npm) Apr 1, 2026
maru1009 Credited to maru1009
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API High
CVE-2026-30940 was published for baserproject/basercms (Composer) Mar 31, 2026
kaminuma Credited to kaminuma
@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files High
CVE-2026-33949 was published for @tinacms/graphql (npm) Mar 30, 2026
aarjubh Credited to aarjubh
Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation Moderate
CVE-2026-33027 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools High
CVE-2026-33989 was published for @mobilenext/mobile-mcp (npm) Mar 27, 2026
AbhiTheModder Credited to AbhiTheModder
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal High
CVE-2026-33476 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 20, 2026
mith36 Credited to mith36
AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php` High
CVE-2026-33354 was published for wwbn/avideo (Composer) Mar 19, 2026
gr00ve3 Credited to gr00ve3
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write High
CVE-2026-32749 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment Critical
CVE-2026-27825 was published for mcp-atlassian (pip) Mar 10, 2026
yotampe-pluto Credited to yotampe-pluto and gil-maman-p gil-maman-p gil-maman-p
OpenClaw hardened the skill download target directory validation Moderate
CVE-2026-27008 was published for openclaw (npm) Feb 18, 2026
Adam55A-code Credited to Adam55A-code
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database