Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,538
Maven
5,000+
npm
5,000+
NuGet
914
pip
4,792
Pub
13
RubyGems
1,037
Rust
1,232
Swift
53
Unreviewed advisories
All unreviewed
5,000+

8,199 advisories

Loading
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write... High Unreviewed
CVE-2026-40518 was published Apr 17, 2026
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-5710 was published Apr 17, 2026
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due... High Unreviewed
CVE-2026-3464 was published Apr 17, 2026
A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown... Moderate Unreviewed
CVE-2026-6496 was published Apr 17, 2026
A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file ... Moderate Unreviewed
CVE-2026-6487 was published Apr 17, 2026
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read... High Unreviewed
CVE-2026-4659 was published Apr 17, 2026
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an... Moderate Unreviewed
CVE-2026-35496 was published Apr 17, 2026
The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal... Moderate Unreviewed
CVE-2026-4853 was published Apr 17, 2026
@fastify/static vulnerable to path traversal in directory listing Moderate
CVE-2026-6410 was published for @fastify/static (npm) Apr 16, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider High
CVE-2026-40611 was published for github.com/go-acme/lego (Go) Apr 16, 2026
RealHurrison Credited to RealHurrison
Flowise: Path Traversal in Vector Store basePath Moderate
GHSA-w6v6-49gh-mc9w was published for flowise (npm) Apr 16, 2026
tenbbughunters Credited to tenbbughunters
Mako: Path traversal via double-slash URI prefix in TemplateLookup Moderate
GHSA-v92g-xgxw-vvmm was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
GHSA-hf5p-q87m-crj7 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart High
GHSA-533q-w4g6-5586 was published for psitransfer (npm) Apr 16, 2026
pyuysig Credited to pyuysig
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Moderate
CVE-2026-40256 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and M9nx M9nx M9nx
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Moderate
CVE-2026-33220 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to... High Unreviewed
CVE-2025-14868 was published Apr 16, 2026
OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote... High Unreviewed
CVE-2026-40503 was published Apr 16, 2026
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME High
GHSA-33r3-4whc-44c2 was published for vite-plus (npm) Apr 16, 2026
Jvr2022 Credited to Jvr2022
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote... Critical Unreviewed
CVE-2026-20180 was published Apr 15, 2026
An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows... High Unreviewed
CVE-2026-30996 was published Apr 15, 2026
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to... Moderate Unreviewed
CVE-2026-20148 was published Apr 15, 2026
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a... High Unreviewed
CVE-2026-34619 was published Apr 15, 2026
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a... High Unreviewed
CVE-2026-27305 was published Apr 15, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database