Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,376 advisories

Loading
kexinoh Credited to kexinoh, russellb, DarkLight1337, and Isotr0py russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization High
GHSA-x8mg-6r4p-87pf was published for com.arcadedb:arcadedb-server (Maven) Jul 16, 2026
ArcadeDB: Scripting authorization gate (GHSA-48qw-824m-86pr) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js High
GHSA-vwjc-v7x7-cm6g was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ArcadeDB: Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE) High
GHSA-x9f9-r4m8-9xc2 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
MCP Python SDK: WebSocket server transport does not support Host/Origin validation High
CVE-2026-59950 was published for mcp (pip) Jul 16, 2026
nitish-yaddala Credited to nitish-yaddala, Nadav0077, dodge1218, gistrec, and u-ktdi Nadav0077 Nadav0077
dodge1218 dodge1218 gistrec gistrec u-ktdi u-ktdi
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read High
GHSA-48qw-824m-86pr was published for com.arcadedb:arcadedb-server (Maven) Jul 16, 2026
kyojune76 Credited to kyojune76
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise Critical
CVE-2026-55579 was published for pheditor/pheditor (Composer) Jul 16, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured Moderate
CVE-2026-52724 was published for github.com/kumahq/kuma (Go) Jul 16, 2026
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221) High
CVE-2026-54076 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users High
CVE-2026-54077 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof Low
CVE-2026-54542 was published for nimiq-primitives (Rust) Jul 16, 2026
paberr Credited to paberr and Piravlos Piravlos Piravlos
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys Low
CVE-2026-54541 was published for nimiq-primitives (Rust) Jul 16, 2026
paberr Credited to paberr and Piravlos Piravlos Piravlos
Pheditor has an authenticated terminal command whitelist bypass High
CVE-2026-54540 was published for pheditor/pheditor (Composer) Jul 16, 2026
shanjijian Credited to shanjijian
srikanthramu Credited to srikanthramu and hewei-gikaku hewei-gikaku hewei-gikaku
cjmielke Credited to cjmielke, dewankpant, and shrutilohani dewankpant dewankpant
shrutilohani shrutilohani
Nuclio: Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container Moderate
CVE-2026-52832 was published for github.com/nuclio/nuclio (Go) Jul 16, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Nuclio: Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE High
CVE-2026-52833 was published for github.com/nuclio/nuclio (Go) Jul 16, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode High
CVE-2026-53714 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
cnvergence Credited to cnvergence, zirain, guydc, and dashingDragon zirain zirain
guydc guydc dashingDragon dashingDragon
Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure Critical
CVE-2026-53713 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
rudrakhp Credited to rudrakhp and dashingDragon dashingDragon dashingDragon
Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock Moderate
CVE-2026-53715 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
zhaohuabing Credited to zhaohuabing
Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header Moderate
CVE-2026-53717 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
zhaohuabing Credited to zhaohuabing
Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization Moderate
CVE-2026-53719 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit Moderate
CVE-2026-53716 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
zhaohuabing Credited to zhaohuabing
ProTip! Advisories are also available from the GraphQL API