GitHub Security Advisories

cited as evidence in 53 · CNA assigner on 35 (independent) of 59 known-exploited records. Every aggregate on this page is recomputed from the records listed below — each one already cited to its public source.

github.com ↗ · home of the cited advisories

Independent CNA

records cited in

deterministic count

finder / reporter credits

CVE.org credits

CVE records catalogued (CNA)

independent

67%

avg modeled exploit prob.

FIRST EPSS, 59/59

10%

ransomware-associated

6 of 59 · CISA flag

Known for

— recomputed from this contributor’s own records

SurfacesApplication / other (53), Server / web platform (2), Operating system / kernel (2), Edge / remote-access infra (1), Hypervisor / virtualization (1)

WeaknessInjection (22), Authentication (8), Path traversal / file (6), Web / client (5), Authorization / access control (4)

PortfolioCraft CMS (4), OSGeo (3), Roundcube (3), Langflow (3), OpenPLC (2), Laravel (2)

Narrative reach

— how far this contributor’s records carry an attacker, front door → lights out

1Front door

58reach this stage

→

2Keys to the kingdom

58reach this stage

→

3Lateral reach

55reach this stage

→

4Data at risk

8reach this stage

→

5Lights out

0reach this stage

Furthest any of these records carries an attacker: 4 · Data at risk. 8 of 58 narrative-framed records reach data-at-risk or lights-out. (furthest-position idiom, reused from the landing map; the stage mapping is a model output over cited evidence.)

Recent highlights

— this contributor’s newest known-exploited records

CVE-2026-42271BerriAI54%KEV CVE-2026-45321TanStack2%RWKEV CVE-2026-48027Nx1%RWKEV CVE-2025-34291Langflow25%KEV CVE-2026-42208BerriAI93%KEV CVE-2026-39987Marimo96%KEV

Every record they’re cited in

— all 59, each linked to its cited source

This is the evidence behind every number above. Sorted ransomware-first, then by modeled exploit probability.

CVE-2021-3129Laravel100%RWKEV CVE-2025-55182Meta100%RWKEV CVE-2023-43208NextGen Healthcare83%RWKEV CVE-2020-2021Palo Alto Networks4%RWKEV CVE-2026-45321TanStack2%RWKEV CVE-2026-48027Nx1%RWKEV CVE-2023-32315Ignite Realtime100%KEV CVE-2025-3248Langflow100%KEV CVE-2021-39226Grafana Labs100%KEV CVE-2025-24893XWiki100%KEV CVE-2022-46169Cacti100%KEV CVE-2024-36401OSGeo100%KEV CVE-2025-32432Craft CMS100%KEV CVE-2016-10033PHP100%KEV CVE-2024-23692Rejetto99%KEV CVE-2022-24816OSGeo99%KEV CVE-2021-39144XStream99%KEV CVE-2026-33017Langflow98%KEV CVE-2025-68613n8n98%KEV CVE-2025-32433Erlang98%KEV CVE-2024-56145Craft CMS97%KEV CVE-2021-41277Metabase97%KEV CVE-2026-39987Marimo96%KEV CVE-2026-42208BerriAI93%KEV CVE-2025-24016Wazuh93%KEV CVE-2025-54068Laravel92%KEV CVE-2024-11680ProjectSend92%KEV CVE-2021-21311Adminer90%KEV CVE-2021-32648October CMS90%KEV CVE-2021-21315Npm package90%KEV CVE-2025-49113Roundcube89%KEV CVE-2021-43798Grafana Labs89%KEV CVE-2025-57819Sangoma87%KEV CVE-2025-64328Sangoma84%KEV CVE-2023-28432MinIO84%KEV CVE-2020-11023JQuery84%KEV CVE-2021-22555Linux79%KEV CVE-2025-8110Gogs77%KEV CVE-2024-37383Roundcube73%KEV CVE-2020-36193PEAR71%KEV CVE-2025-58360OSGeo67%KEV CVE-2025-11953React Native Community62%KEV CVE-2026-33634Aquasecurity60%KEV CVE-2025-31125Vite60%KEV CVE-2026-42271BerriAI54%KEV CVE-2021-26829OpenPLC48%KEV CVE-2025-30066tj-actions45%KEV CVE-2021-26828OpenPLC39%KEV CVE-2025-34291Langflow25%KEV CVE-2025-68461Roundcube20%KEV CVE-2024-6047GeoVision10%KEV CVE-2023-28434MinIO7%KEV CVE-2018-0161Cisco4%KEV CVE-2025-54313Prettier4%KEV CVE-2025-23209Craft CMS4%KEV CVE-2025-48384Git3%KEV CVE-2025-30154reviewdog2%KEV CVE-2025-22226VMware2%KEV CVE-2025-35939Craft CMS1%KEV

Coverage & confidence

— what this profile claims, and what it does not

Established (cited)

Cited in 59 known-exploited records — the list below; every one links to its public source.

Catalogued 35 CVE record(s) as the CNA assigner (from CVE.org).

Coverage gaps — stated, not hidden

This profile is an aggregation: it asserts only what the listed records already cite — no new external claim about the contributor is made.

The TYPE badge and the narrative-stage mapping are editorial (our call), labeled as such, not a sourced fact.