GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,338
Maven
5,000+
npm
5,000+
NuGet
1,031
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,497
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,363 advisories
Filter by severity
Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration
Moderate
GHSA-cvpc-hccg-wmw4
was published
for
verbb/formie
(Composer)
Jul 17, 2026
Gitea has insufficient permission checks for Composer package source links
High
CVE-2026-27771
was published
for
code.gitea.io/gitea
(Go)
Jul 17, 2026
TAK-PS-Stats Web UI: Authenticated full-read SSRF in CloudTAK basemap import (PUT /api/basemap) — no IP-classification guard
Moderate
CVE-2026-54546
was published
for
@tak-ps/cloudtak
(npm)
Jul 17, 2026
oapi-codegen: OpenAPI Server Description Escapes Generated Go Comment and Injects Executable Code
Low
GHSA-rjwr-m7qx-3fjr
was published
for
github.com/oapi-codegen/oapi-codegen/v2
(Go)
Jul 17, 2026
meta-ads-mcp: X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token
High
CVE-2026-54547
was published
for
meta-ads-mcp
(pip)
Jul 17, 2026
meta-ads-mcp: Server-Side Request Forgery (SSRF) in `upload_ad_image` via Unrestricted `image_url` Fetch
High
CVE-2026-54549
was published
for
meta-ads-mcp
(pip)
Jul 17, 2026
sh _uid does not drop supplementary groups (incomplete privilege drop)
High
CVE-2026-54552
was published
for
sh
(pip)
Jul 17, 2026
AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
High
CVE-2026-11400
was published
for
software.amazon.jdbc:aws-advanced-jdbc-wrapper
(Maven)
Jul 17, 2026
plone.restapi: Stored XSS by spoofing mime type
Moderate
GHSA-8rqh-vxpr-x77p
was published
for
plone.restapi
(pip)
Jul 17, 2026
plone.app.textfield: Stored XSS by spoofing mime type
Moderate
CVE-2026-54503
was published
for
plone.app.textfield
(pip)
Jul 17, 2026
Skipper: Unbounded Request Body Read in Admission Webhook Causes Memory Exhaustion DoS
Moderate
CVE-2026-54247
was published
for
github.com/zalando/skipper
(Go)
Jul 17, 2026
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read
Moderate
CVE-2026-55646
was published
for
vllm
(pip)
Jul 17, 2026
vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
High
CVE-2026-55574
was published
for
vllm
(pip)
Jul 17, 2026
vLLM has Remote DoS via Invalid Recovered Token Reinjection
High
CVE-2026-54234
was published
for
vllm
(pip)
Jul 17, 2026
vLLM: Processing differential in multi-channel audio downmixing enables hidden-input/moderation bypass for audio models
Moderate
CVE-2026-34760
was published
for
vllm
(pip)
Jul 17, 2026
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization
High
GHSA-x8mg-6r4p-87pf
was published
for
com.arcadedb:arcadedb-server
(Maven)
Jul 16, 2026
ArcadeDB: Scripting authorization gate (GHSA-48qw-824m-86pr) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js
High
GHSA-vwjc-v7x7-cm6g
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
ArcadeDB: Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE)
High
GHSA-x9f9-r4m8-9xc2
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
High
CVE-2026-59950
was published
for
mcp
(pip)
Jul 16, 2026
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read
High
GHSA-48qw-824m-86pr
was published
for
com.arcadedb:arcadedb-server
(Maven)
Jul 16, 2026
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise
Critical
CVE-2026-55579
was published
for
pheditor/pheditor
(Composer)
Jul 16, 2026
Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection
High
CVE-2026-55578
was published
for
pheditor/pheditor
(Composer)
Jul 16, 2026
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured
Moderate
CVE-2026-52724
was published
for
github.com/kumahq/kuma
(Go)
Jul 16, 2026
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)
High
CVE-2026-54076
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users
High
CVE-2026-54077
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
ProTip!
Advisories are also available from the
GraphQL API