Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,363 advisories

Loading
Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration Moderate
GHSA-cvpc-hccg-wmw4 was published for verbb/formie (Composer) Jul 17, 2026
chaitanyagarware Credited to chaitanyagarware
Gitea has insufficient permission checks for Composer package source links High
CVE-2026-27771 was published for code.gitea.io/gitea (Go) Jul 17, 2026
DevNoScope Credited to DevNoScope
tonghuaroot Credited to tonghuaroot
oapi-codegen: OpenAPI Server Description Escapes Generated Go Comment and Injects Executable Code Low
GHSA-rjwr-m7qx-3fjr was published for github.com/oapi-codegen/oapi-codegen/v2 (Go) Jul 17, 2026
quart27219 Credited to quart27219 and kimdu0 kimdu0 kimdu0
meta-ads-mcp: X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token High
CVE-2026-54547 was published for meta-ads-mcp (pip) Jul 17, 2026
EQSTLab Credited to EQSTLab
EQSTLab Credited to EQSTLab and useworld useworld useworld
sh _uid does not drop supplementary groups (incomplete privilege drop) High
CVE-2026-54552 was published for sh (pip) Jul 17, 2026
Gares95 Credited to Gares95
AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
CVE-2026-11400 was published for software.amazon.jdbc:aws-advanced-jdbc-wrapper (Maven) Jul 17, 2026
ph0smet Credited to ph0smet
plone.restapi: Stored XSS by spoofing mime type Moderate
GHSA-8rqh-vxpr-x77p was published for plone.restapi (pip) Jul 17, 2026
gyst Credited to gyst
plone.app.textfield: Stored XSS by spoofing mime type Moderate
CVE-2026-54503 was published for plone.app.textfield (pip) Jul 17, 2026
gyst Credited to gyst
Skipper: Unbounded Request Body Read in Admission Webhook Causes Memory Exhaustion DoS Moderate
CVE-2026-54247 was published for github.com/zalando/skipper (Go) Jul 17, 2026
alcls01111 Credited to alcls01111
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read Moderate
CVE-2026-55646 was published for vllm (pip) Jul 17, 2026
rexpository Credited to rexpository and jperezdealgaba jperezdealgaba jperezdealgaba
brodmart Credited to brodmart and jperezdealgaba jperezdealgaba jperezdealgaba
vLLM has Remote DoS via Invalid Recovered Token Reinjection High
CVE-2026-54234 was published for vllm (pip) Jul 17, 2026
NeilAlfred Credited to NeilAlfred and jperezdealgaba jperezdealgaba jperezdealgaba
kexinoh Credited to kexinoh, russellb, DarkLight1337, and Isotr0py russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization High
GHSA-x8mg-6r4p-87pf was published for com.arcadedb:arcadedb-server (Maven) Jul 16, 2026
ArcadeDB: Scripting authorization gate (GHSA-48qw-824m-86pr) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js High
GHSA-vwjc-v7x7-cm6g was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ArcadeDB: Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE) High
GHSA-x9f9-r4m8-9xc2 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
MCP Python SDK: WebSocket server transport does not support Host/Origin validation High
CVE-2026-59950 was published for mcp (pip) Jul 16, 2026
nitish-yaddala Credited to nitish-yaddala, Nadav0077, dodge1218, gistrec, and u-ktdi Nadav0077 Nadav0077
dodge1218 dodge1218 gistrec gistrec u-ktdi u-ktdi
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read High
GHSA-48qw-824m-86pr was published for com.arcadedb:arcadedb-server (Maven) Jul 16, 2026
kyojune76 Credited to kyojune76
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise Critical
CVE-2026-55579 was published for pheditor/pheditor (Composer) Jul 16, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured Moderate
CVE-2026-52724 was published for github.com/kumahq/kuma (Go) Jul 16, 2026
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221) High
CVE-2026-54076 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users High
CVE-2026-54077 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ProTip! Advisories are also available from the GraphQL API