Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

622 advisories

Loading
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests High
CVE-2026-44982 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
mmarting Credited to mmarting
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` Moderate
CVE-2026-44646 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Twig: Sandbox property and method bypass via object-destructuring assignment High
CVE-2026-46639 was published for twig/twig (Composer) May 21, 2026
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) Moderate
CVE-2026-46638 was published for twig/twig (Composer) May 21, 2026
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name Moderate
CVE-2026-46634 was published for twig/twig (Composer) May 21, 2026
@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails High
GHSA-59f3-7227-wmh4 was published for @hulumi/policies (npm) May 21, 2026
Klever-Go KVM read-only execution can commit contract delete and upgrade side effects Moderate
CVE-2026-46403 was published for github.com/klever-io/klever-go (Go) May 21, 2026
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
Strapi Upload Plugin MIME Validation Bypass via Content API Moderate
CVE-2026-22707 was published for @strapi/upload (npm) May 14, 2026
kaminuma Credited to kaminuma and arkmarta arkmarta arkmarta
ProTip! Advisories are also available from the GraphQL API