Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

770 advisories

Loading
@nyariv/sandboxjs has a Sandbox Escape vulnerability Critical
CVE-2026-25587 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
c0rydoras
Credited to c0rydoras
Claude Code has a Command Injection in find Command Bypasses User Approval Prompt High
CVE-2026-24887 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons
Credited to Far-Horizons
Langroid has WAF Bypass Leading to RCE in TableChatAgent Critical
CVE-2026-25481 was published for langroid (pip) Feb 2, 2026
Ka7arotto
Credited to Ka7arotto
@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks High
CVE-2026-25153 was published for @backstage/plugin-techdocs-node (npm) Feb 2, 2026
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE Critical
CVE-2026-25142 was published for @nyariv/sandboxjs (npm) Feb 2, 2026
c0rydoras
Credited to c0rydoras
Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload High
CVE-2025-62348 was published for salt (pip) Jan 30, 2026
Orval has Code Injection via unsanitized x-enum-descriptions using JS comments Critical
CVE-2026-25141 was published for @orval/core (npm) Jan 30, 2026
progfay k14uz
Credited to progfay and k14uz
AutoGPT is Vulnerable to RCE via Disabled Block Execution High
CVE-2026-24780 was published for agpt (pip) Jan 29, 2026
rahulgovind
Credited to rahulgovind
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files High
CVE-2026-24747 was published for pytorch (pip) Jan 27, 2026
azraelxuemo
Credited to azraelxuemo
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor Critical
CVE-2026-23830 was published for @nyariv/sandboxjs (npm) Jan 27, 2026
nyxsorcerer
Credited to nyxsorcerer
Quick-Media Batik Codec FIX package has Code Injection vulnerability Moderate
CVE-2026-24806 was published for com.github.liuyueyi.media:batik-codec-fix (Maven) Jan 27, 2026
vm2 has a Sandbox Escape Critical
CVE-2026-22709 was published for vm2 (npm) Jan 26, 2026
Moodle affected by a code injection vulnerability High
CVE-2025-67847 was published for moodle/moodle (Composer) Jan 23, 2026
asrar-mared Seldaek
Credited to asrar-mared and Seldaek
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization Moderate
CVE-2026-23946 was published for tendenci (pip) Jan 21, 2026
nedlir
Credited to nedlir
vLLM affected by RCE via auto_map dynamic module loading during model initialization High
CVE-2026-22807 was published for vllm (pip) Jan 21, 2026
zaddy6 arthurgervais
DarkLight1337 russellb
Credited to zaddy6, arthurgervais, DarkLight1337, and russellb
binary-parser library has a code injection vulnerability Moderate
CVE-2026-1245 was published for binary-parser (npm) Jan 20, 2026
sei-vsarvepalli
Credited to sei-vsarvepalli
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) Critical
CVE-2026-23733 was published for @lobehub/chat (npm) Jan 20, 2026
c2an1
Credited to c2an1
Skipper is vulnerable to arbitrary code execution through lua filters High
CVE-2026-23742 was published for github.com/zalando/skipper (Go) Jan 16, 2026
moyushui b0b0haha
Credited to moyushui and b0b0haha
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
GHSA-5882-5rx9-xgxp was published for Crawl4AI (pip) Jan 16, 2026
Shopware Has Improper Control of Generation of Code in Twig rendered views High
CVE-2026-23498 was published for shopware/core (Composer) Jan 14, 2026
lukasz-rybak andreisss
Credited to lukasz-rybak and andreisss
enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain Critical
CVE-2026-22686 was published for enclave-vm (npm) Jan 14, 2026
UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation Critical
CVE-2025-68924 was published for UmbracoForms (NuGet) Jan 13, 2026
chudyPB
Credited to chudyPB
Envoy Extension Policy lua scripts injection causes arbitrary command execution High
CVE-2026-22771 was published for github.com/envoyproxy/gateway (Go) Jan 13, 2026
rikatz rudrakhp
guydc arkodg
Credited to rikatz, rudrakhp, guydc, and arkodg
Salesforce Uni2TS has a Code Injection vulnerability Critical
CVE-2026-22584 was published for uni2ts (pip) Jan 10, 2026
augustocesarperin
Credited to augustocesarperin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database