GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28,615 advisories
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
Moderate
CVE-2026-39390
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Moderate
CVE-2026-39389
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class
Moderate
GHSA-jx2w-vp7f-456q
was published
for
io.quarkiverse.openapi.generator:quarkus-openapi-generator
(Maven)
Apr 8, 2026
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
High
CVE-2026-27806
was published
for
github.com/fleetdm/fleet/v4
(Go)
Apr 8, 2026
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Moderate
CVE-2026-39865
was published
for
axios
(npm)
Apr 8, 2026
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
High
CVE-2026-34589
was published
for
OpenEXR
(pip)
Apr 8, 2026
OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
High
CVE-2026-34588
was published
for
OpenEXR
(pip)
Apr 8, 2026
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
Moderate
GHSA-vvjj-xcjg-gr5g
was published
for
nodemailer
(npm)
Apr 8, 2026
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
Moderate
CVE-2026-39859
was published
for
liquidjs
(npm)
Apr 8, 2026
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
Moderate
CVE-2026-39412
was published
for
liquidjs
(npm)
Apr 8, 2026
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
Moderate
CVE-2026-39411
was published
for
@lobehub/lobehub
(npm)
Apr 8, 2026
kcp's cache server is accessible without authentication or authorization checks
High
CVE-2026-39429
was published
for
github.com/kcp-dev/kcp
(Go)
Apr 8, 2026
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Moderate
CVE-2026-39844
was published
for
nicegui
(pip)
Apr 8, 2026
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
Critical
CVE-2026-39846
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Apr 8, 2026
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
High
CVE-2026-35525
was published
for
liquidjs
(npm)
Apr 8, 2026
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
Low
CVE-2026-34166
was published
for
liquidjs
(npm)
Apr 8, 2026
rfc3161-client Has Improper Certificate Validation
Moderate
CVE-2026-33753
was published
for
rfc3161-client
(pip)
Apr 8, 2026
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
High
CVE-2026-33229
was published
for
org.xwiki.platform:xwiki-platform-legacy-oldcore
(Maven)
Apr 8, 2026
ProTip!
Advisories are also available from the
GraphQL API