GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
29,008 advisories
wger has Stored XSS via Unescaped License Attribution Fields
Moderate
CVE-2026-40353
was published
for
wger
(pip)
Apr 16, 2026
wger has Broken Access Control in Global Gym Configuration Update Endpoint
High
CVE-2026-40474
was published
for
wger
(pip)
Apr 16, 2026
Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance
Moderate
GHSA-5vjq-5jmg-39xq
was published
for
renovate
(npm)
Apr 16, 2026
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen
Critical
GHSA-hm2w-vr2p-hq7w
was published
for
uefi-firmware
(pip)
Apr 16, 2026
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable
Critical
GHSA-2689-5p89-6j3j
was published
for
uefi-firmware
(pip)
Apr 16, 2026
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Moderate
CVE-2026-40594
was published
for
pyload-ng
(pip)
Apr 16, 2026
LangSmith SDK: Streaming token events bypass output redaction
Moderate
GHSA-rr7j-v2q5-chgv
was published
for
langsmith
(npm)
Apr 16, 2026
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code
Moderate
GHSA-vp22-38m5-r39r
was published
for
pyspector
(pip)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Fastify's connection header abuse enables stripping of proxy-added headers
Critical
CVE-2026-33805
was published
for
@fastify/http-proxy
(npm)
Apr 16, 2026
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
High
GHSA-33r3-4whc-44c2
was published
for
vite-plus
(npm)
Apr 16, 2026
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Moderate
GHSA-458j-xx4x-4375
was published
for
hono
(npm)
Apr 16, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
Critical
GHSA-w59f-67xm-rxx7
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Critical
GHSA-gc9w-cc93-rjv8
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
High
GHSA-47hf-23pw-3m8c
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
High
GHSA-75h4-c557-j89r
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
Moderate
GHSA-vmjj-qr7v-pxm6
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Moderate
GHSA-jvx4-xv3m-hrj4
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Moderate
CVE-2026-40486
was published
for
kimai/kimai
(Composer)
Apr 15, 2026
ProTip!
Advisories are also available from the
GraphQL API