Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

298 advisories

Loading
carbon-apimgt does not properly restrict uploaded files Critical
CVE-2025-13590 was published for org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl (Maven) Feb 19, 2026
n8n Merge Node has Arbitrary File Write leading to RCE Critical
CVE-2026-25056 was published for n8n (npm) Feb 4, 2026
nlgbao1340
Credited to nlgbao1340
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons
Credited to Far-Horizons
NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload High
CVE-2026-24769 was published for nocodb (npm) Jan 28, 2026
p-
Credited to p-
Livewire Filemanager does not restrict uploaded file types High
CVE-2025-14894 was published for livewire-filemanager/filemanager (Composer) Jan 16, 2026
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal High
CVE-2026-22786 was published for github.com/flipped-aurora/gin-vue-admin (Go) Jan 13, 2026
D0ub1e-D
Credited to D0ub1e-D
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux
Credited to theolelasseux
Cadmium CMS has a background arbitrary file upload vulnerability High
CVE-2025-51511 was published for cadmium-org/cadmium-cms (Composer) Dec 23, 2025
Umbraco CMS has an arbitrary file upload vulnerability Moderate
CVE-2025-67288 was published for Umbraco.Cms (NuGet) Dec 22, 2025
legacy-git
Credited to legacy-git
Pagekit CMS is vulnerable to OS Command Injection via Storage component Critical
CVE-2025-67164 was published for pagekit/pagekit (Composer) Dec 17, 2025
GrapesJsBuilder File Upload allows all file uploads High
CVE-2025-13827 was published for mautic/grapes-js-builder-bundle (Composer) Dec 2, 2025
driskell escopecz
patrykgruszka
Credited to driskell, escopecz, and patrykgruszka
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite Critical
CVE-2025-64095 was published for DNN.PLATFORM (NuGet) Oct 29, 2025
bdukes valadas
Credited to bdukes and valadas
DNN CKEditor Provider allows unauthenticated upload out-of-the-box Moderate
CVE-2025-62802 was published for Dnn.Platform (NuGet) Oct 29, 2025
r90727 bdukes
donker david-poindexter mitchelsellers
Credited to r90727, bdukes, donker, david-poindexter, and mitchelsellers
FlowiseAI/Flosise has File Upload vulnerability High
CVE-2025-61687 was published for flowise (npm) Oct 8, 2025
im-soohyun
Credited to im-soohyun
Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import Low
GHSA-7jp2-5h22-m432 was published for auth0/symfony (Composer) Oct 1, 2025
Auth0 Wordpress plugin Does Not Properly Handle File Types in Bulk User Import Low
GHSA-w22c-pw5m-482x was published for auth0/wordpress (Composer) Oct 1, 2025
laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import Low
GHSA-hjfh-5jmm-xr24 was published for auth0/login (Composer) Oct 1, 2025
auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import Low
CVE-2025-58769 was published for auth0/auth0-php (Composer) Oct 1, 2025
N8N's Chat Trigger component is vulnerable to XSS High
CVE-2025-56265 was published for @n8n/n8n-nodes-langchain (npm) Sep 8, 2025
Vaadin Platform possible file bypass via upload validation on the server-side Moderate
GHSA-c7v7-rqfm-f44j was published for com.vaadin:vaadin (Maven) Sep 4, 2025
Vaadin Flow Components possible file bypass via upload validation on the server-side Moderate
GHSA-94g8-xv23-7656 was published for com.vaadin:vaadin-upload-flow (Maven) Sep 4, 2025
Vaadin Framework possible file bypass via upload validation on the server-side Moderate
CVE-2025-9467 was published for com.vaadin:vaadin-server (Maven) Sep 4, 2025
FormCms avatar upload feature has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-56236 was published for FormCMS (NuGet) Aug 28, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database