Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
58
GitHub Actions
50
Go
3,799
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,351
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,466 advisories

Loading
protobuf.js: Denial of service through unbounded protobuf recursion High
CVE-2026-44289 was published for protobufjs (npm) May 12, 2026
peaktwilight Credited to peaktwilight, VladimirEliTokarev, AKiileX, tndud042713, dcodeIO, and alexander-fenster VladimirEliTokarev VladimirEliTokarev
AKiileX AKiileX tndud042713 tndud042713 dcodeIO dcodeIO alexander-fenster alexander-fenster
protobufjs has overlong UTF-8 decoding Moderate
CVE-2026-44288 was published for @protobufjs/utf8 (npm) May 12, 2026
Xvush Credited to Xvush and dcodeIO dcodeIO dcodeIO
protobuf.js is Vulnerable to OS Command Injection in the CLI High
CVE-2026-42290 was published for protobufjs-cli (npm) May 12, 2026
0x5t4l1n Credited to 0x5t4l1n and dcodeIO dcodeIO dcodeIO
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys Critical
CVE-2026-45321 was published for @tanstack/arktype-adapter (npm) May 12, 2026
ashishkurmi Credited to ashishkurmi
Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content Moderate
CVE-2026-45046 was published for github.com/safedep/gryph (Go) May 11, 2026
dodge1218 Credited to dodge1218
MantisBT Vulnerable to Stored XSS in File Download High
CVE-2026-44657 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT has Stored XSS on Move Attachments Admin Page High
CVE-2026-44655 was published for mantisbt/mantisbt (Composer) May 11, 2026
dregad Credited to dregad
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` High
CVE-2026-44635 was published for kysely (npm) May 11, 2026
StarPlatinu Credited to StarPlatinu and igalklebanov igalklebanov igalklebanov
local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`) Moderate
CVE-2026-43979 was published for local-deep-research (pip) May 11, 2026
Firebasky Credited to Firebasky
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
MantisBT has a Private Bugnote Attachment Content Leak via REST API High
CVE-2026-42071 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, dregad, and siunam321 TristanInSec TristanInSec
dregad dregad siunam321 siunam321
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API Moderate
CVE-2026-42070 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, and dregad TristanInSec TristanInSec
dregad dregad
MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field Moderate
CVE-2026-41897 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
Mermaid: Improper sanitization of configuration leads to CSS injection Moderate
CVE-2026-41159 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS Moderate
CVE-2026-41150 was published for mermaid (npm) May 11, 2026
aloisklink Credited to aloisklink
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection Moderate
CVE-2026-41149 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection Moderate
CVE-2026-41148 was published for mermaid (npm) May 11, 2026
matejsmycka Credited to matejsmycka and aloisklink aloisklink aloisklink
MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column High
CVE-2026-40607 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page Moderate
CVE-2026-40598 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT has a Content Security Policy bypass via attachments High
CVE-2026-40597 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference High
CVE-2026-40596 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values Moderate
CVE-2026-39960 was published for mantisbt/mantisbt (Composer) May 11, 2026
morimori-dev Credited to morimori-dev, dregad, and TristanInSec dregad dregad
TristanInSec TristanInSec
Yii 2: Local file inclusion via view parameter name collision High
CVE-2026-39850 was published for yiisoft/yii2 (Composer) May 11, 2026
khuroohamid Credited to khuroohamid
MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked Moderate
CVE-2026-34970 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API Moderate
CVE-2026-34754 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database