GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
446 advisories
Filter by severity
The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up...
High
Unreviewed
CVE-2026-5821
was published
Jul 2, 2026
oras-go has file store write outside workingDir via symlink traversal
Moderate
CVE-2026-50162
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an...
Moderate
Unreviewed
CVE-2026-12480
was published
Jul 1, 2026
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components
Moderate
GHSA-2wwr-9x6f-88gp
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 1, 2026
The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File...
Critical
Unreviewed
CVE-2026-6070
was published
Jul 1, 2026
IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM...
Moderate
Unreviewed
CVE-2026-3602
was published
Jun 30, 2026
Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to...
High
Unreviewed
CVE-2026-10816
was published
Jun 30, 2026
The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary...
High
Unreviewed
CVE-2026-8095
was published
Jun 28, 2026
pnpm: `patch-remove` could delete project-selected files outside the patches directory
High
GHSA-72r4-9c5j-mj57
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules
High
GHSA-fr4h-3cph-29xv
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
High
CVE-2026-55700
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Reserved bin name deletes PNPM_HOME during global remove
Moderate
CVE-2026-55699
was published
for
pnpm
(npm)
Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Incus has an arbitrary file write via path traversal in S3 multipart upload
Critical
CVE-2026-48753
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has arbitrary file read+write on host via templates/ symlink in malicious image
Critical
CVE-2026-48752
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image
Critical
CVE-2026-48750
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image
Critical
CVE-2026-48749
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access...
Critical
Unreviewed
CVE-2025-71334
was published
Jun 26, 2026
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process...
Critical
Unreviewed
CVE-2025-71338
was published
Jun 26, 2026
Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the...
High
Unreviewed
CVE-2025-71324
was published
Jun 26, 2026
Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api...
Critical
Unreviewed
CVE-2025-71333
was published
Jun 26, 2026
OctoPrint has possible file exfiltration via query parameters on upload endpoints
High
CVE-2026-54134
was published
for
OctoPrint
(pip)
Jun 23, 2026
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning
High
GHSA-2fmp-9rvw-hc96
was published
for
network-ai
(npm)
Jun 19, 2026
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project...
High
Unreviewed
CVE-2026-53915
was published
Jun 19, 2026
Entire CLI: Path traversal in checkpoint session metadata allows arbitrary file write during resume/rewind
Moderate
GHSA-2h46-9x5w-4wf7
was published
for
github.com/entireio/cli
(Go)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API