GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
121 advisories
Zebra node crash — V5 transaction hash panic (P2P reachable)
Critical
CVE-2026-34202
was published
for
zebra-chain
(Rust)
Mar 27, 2026
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment
High
CVE-2026-34172
was published
for
giskard-agents
(pip)
Mar 27, 2026
Incus vulnerable to arbitrary file read and write through pongo templates
Critical
CVE-2026-33897
was published
for
github.com/lxc/incus
(Go)
Mar 27, 2026
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
High
CVE-2026-33154
was published
for
dynaconf
(pip)
Mar 18, 2026
RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
High
CVE-2026-32261
was published
for
craftcms/webhooks
(Composer)
Mar 16, 2026
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
Moderate
CVE-2026-28784
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS has Twig Function Blocklist Bypass
Moderate
CVE-2026-28783
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Critical
CVE-2026-28697
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Moderate
CVE-2026-28695
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
Critical
CVE-2026-27641
was published
for
flask-reuploaded
(pip)
Feb 25, 2026
JinJava Bypass through ForTag leads to Arbitrary Java Execution
Critical
CVE-2026-25526
was published
for
com.hubspot.jinjava:jinjava
(Maven)
Feb 3, 2026
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability
Critical
CVE-2025-64087
was published
for
fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker
(Maven)
Jan 20, 2026
Kimai has an Authenticated Server-Side Template Injection (SSTI)
Moderate
CVE-2026-23626
was published
for
kimai/kimai
(Composer)
Jan 20, 2026
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE
High
CVE-2026-22244
was published
for
org.open-metadata:platform
(Maven)
Jan 7, 2026
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Moderate
CVE-2025-68454
was published
for
craftcms/cms
(Composer)
Jan 5, 2026
ProTip!
Advisories are also available from the
GraphQL API