Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

298 advisories

Loading
carbon-apimgt does not properly restrict uploaded files Critical
CVE-2025-13590 was published for org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl (Maven) Feb 19, 2026
Remote Code Execution by uploading a phar file using frontmatter High
CVE-2024-27923 was published for getgrav/grav (Composer) Mar 6, 2024
Universe1122 sunnypatell
Credited to Universe1122 and sunnypatell
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
n8n Merge Node has Arbitrary File Write leading to RCE Critical
CVE-2026-25056 was published for n8n (npm) Feb 4, 2026
nlgbao1340
Credited to nlgbao1340
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons
Credited to Far-Horizons
NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload High
CVE-2026-24769 was published for nocodb (npm) Jan 28, 2026
p-
Credited to p-
Livewire Filemanager does not restrict uploaded file types High
CVE-2025-14894 was published for livewire-filemanager/filemanager (Composer) Jan 16, 2026
Umbraco CMS has an arbitrary file upload vulnerability Moderate
CVE-2025-67288 was published for Umbraco.Cms (NuGet) Dec 22, 2025
legacy-git
Credited to legacy-git
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal High
CVE-2026-22786 was published for github.com/flipped-aurora/gin-vue-admin (Go) Jan 13, 2026
D0ub1e-D
Credited to D0ub1e-D
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux
Credited to theolelasseux
Cadmium CMS has a background arbitrary file upload vulnerability High
CVE-2025-51511 was published for cadmium-org/cadmium-cms (Composer) Dec 23, 2025
Liferay Portal Unvalidated File Upload Moderate
CVE-2025-43750 was published for com.liferay:com.liferay.dynamic.data.mapping.form.web (Maven) Aug 20, 2025
Pagekit CMS is vulnerable to OS Command Injection via Storage component Critical
CVE-2025-67164 was published for pagekit/pagekit (Composer) Dec 17, 2025
GrapesJsBuilder File Upload allows all file uploads High
CVE-2025-13827 was published for mautic/grapes-js-builder-bundle (Composer) Dec 2, 2025
driskell escopecz
patrykgruszka
Credited to driskell, escopecz, and patrykgruszka
Juju allows arbitrary executable uploads via authenticated endpoint without authorization High
CVE-2025-0928 was published for github.com/juju/juju (Go) Jul 9, 2025
tlm wallyworld
hpidcock Fedqys setharnold
Credited to tlm, wallyworld, hpidcock, Fedqys, and setharnold
ShowDoc unrestricted file upload vulnerability Critical
CVE-2025-0520 was published for showdoc/showdoc (Composer) Apr 29, 2025
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite Critical
CVE-2025-64095 was published for DNN.PLATFORM (NuGet) Oct 29, 2025
bdukes valadas
Credited to bdukes and valadas
DNN CKEditor Provider allows unauthenticated upload out-of-the-box Moderate
CVE-2025-62802 was published for Dnn.Platform (NuGet) Oct 29, 2025
r90727 bdukes
donker david-poindexter mitchelsellers
Credited to r90727, bdukes, donker, david-poindexter, and mitchelsellers
Drupal core Unrestricted Upload of File with Dangerous Type High
CVE-2020-13671 was published for drupal/core (Composer) Oct 12, 2021
Improper Input Validation in Apache ActiveMQ Critical
CVE-2016-3088 was published for org.apache.activemq:activemq-client (Maven) May 14, 2022
sunSUNQ
Credited to sunSUNQ
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server High
CVE-2017-12615 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 17, 2018
Unrestricted Upload of File with Dangerous Type Apache Tomcat High
CVE-2017-12617 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 14, 2022
sunSUNQ anlakii
Credited to sunSUNQ and anlakii
Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions High
CVE-2024-8060 was published for open-webui (pip) Mar 20, 2025
pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint Critical
CVE-2024-5980 was published for lightning (pip) Jun 27, 2024
awaelchli
Credited to awaelchli
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database