Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
975
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

310 advisories

Loading
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output Low
GHSA-vxr8-fq34-vvx9 was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR` Moderate
GHSA-76mc-f452-cxcm was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks Moderate
CVE-2026-49458 was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM Moderate
CVE-2026-49459 was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47419 was published for praisonai-platform (pip) Jun 5, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation Moderate
CVE-2026-48013 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Shopware: Admin API ACL Bypass in Order State Transition Endpoints Moderate
CVE-2026-48014 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 Moderate
CVE-2026-47674 was published for hono (npm) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection Moderate
CVE-2026-47675 was published for hono (npm) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id} High
CVE-2026-47412 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47415 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR High
CVE-2026-47417 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47418 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} Critical
CVE-2026-47416 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link) High
CVE-2026-47414 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024 Moderate
CVE-2026-47233 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders High
CVE-2026-47231 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders Moderate
CVE-2026-47230 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation Moderate
CVE-2026-47229 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset
Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords Moderate
CVE-2026-47228 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` Moderate
CVE-2026-47227 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers Moderate
CVE-2026-47248 was published for parse-server (npm) May 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives High
CVE-2026-47179 was published for github.com/getarcaneapp/arcane/backend (Go) May 28, 2026
offset Credited to offset
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex High
CVE-2026-45617 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database