GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
151 advisories
Filter by severity
Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)
High
GHSA-7jvp-hj45-2f2m
was published
for
Scriban
(NuGet)
Jul 6, 2026
Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
High
CVE-2026-50281
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A...
Moderate
Unreviewed
CVE-2026-48943
was published
Jun 25, 2026
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
Moderate
CVE-2026-54516
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Moderate
CVE-2026-54515
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
High
CVE-2026-54351
was published
for
@budibase/server
(npm)
Jun 22, 2026
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint...
Moderate
Unreviewed
CVE-2026-56276
was published
Jun 20, 2026
flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
High
CVE-2026-55091
was published
for
flat-to-nested
(npm)
Jun 19, 2026
In JetBrains Hub before 2026.1.13757,
2025.3.148033,
2025.2.148048,
2025.1.148120,
2024.3.148430,...
Critical
Unreviewed
CVE-2026-56142
was published
Jun 19, 2026
spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Moderate
GHSA-2jx3-65f3-xr8r
was published
for
spomky-labs/otphp
(Composer)
Jun 18, 2026
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Critical
CVE-2026-48150
was published
for
@budibase/server
(npm)
Jun 12, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
High
CVE-2026-46517
was published
for
lmdeploy
(pip)
May 21, 2026
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
Moderate
GHSA-59fh-9f3p-7m39
was published
for
flowise
(npm)
May 20, 2026
Drupal core allows Object Injection
Moderate
CVE-2026-6366
was published
for
drupal/core
(Composer)
May 20, 2026
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
Moderate
CVE-2026-45396
was published
for
open-webui
(pip)
May 14, 2026
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark
Critical
CVE-2026-45058
was published
for
electerm
(npm)
May 14, 2026
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
High
CVE-2026-46480
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
High
CVE-2026-46479
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
High
CVE-2026-46478
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
High
CVE-2026-46477
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
High
CVE-2026-46476
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
High
CVE-2026-46475
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-46441
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
High
CVE-2026-42863
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-42862
was published
for
flowise
(npm)
May 14, 2026
ProTip!
Advisories are also available from the
GraphQL API