Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,376 advisories

Loading
Envoy Gateway custom backendRef cross-namespace ReferenceGrant bypass Moderate
CVE-2026-53718 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
kumactl connects to control plane without verifying TLS certificate when no CA is configured Moderate
CVE-2026-50166 was published for github.com/kumahq/kuma (Go) Jul 16, 2026
ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation) Low
CVE-2026-58196 was published for github.com/stacklok/toolhive (Go) Jul 15, 2026
bIackr0se Credited to bIackr0se, jhrozek, JAORMX, ChrisJBurns, and rdimitrov jhrozek jhrozek
JAORMX JAORMX ChrisJBurns ChrisJBurns rdimitrov rdimitrov
adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files Moderate
GHSA-xg43-5579-qw6v was published for adawolfa/isdoc (Composer) Jul 15, 2026
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default High
CVE-2026-54504 was published for @andrea9293/mcp-documentation-server (npm) Jul 15, 2026
tonghuaroot Credited to tonghuaroot
Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback High
CVE-2026-50285 was published for github.com/pomerium/pomerium (Go) Jul 15, 2026
bugbunny-research Credited to bugbunny-research
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50276 was published for datadog (RubyGems) Jul 15, 2026
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50274 was published for github.com/DataDog/dd-trace-go (Go) Jul 15, 2026
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50273 was published for Datadog.Trace (NuGet) Jul 15, 2026
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50272 was published for dd-trace (npm) Jul 15, 2026
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50271 was published for ddtrace (pip) Jul 15, 2026
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50270 was published for com.datadoghq:dd-java-agent (Maven) Jul 15, 2026
ViewComponent: Reused Component Instances Retain Stale Render Context Moderate
CVE-2026-54497 was published for view_component (RubyGems) Jul 15, 2026
cyberlanc3r Credited to cyberlanc3r
ViewComponent: around_render HTML-Safety Bypass High
CVE-2026-54498 was published for view_component (RubyGems) Jul 15, 2026
cyberlanc3r Credited to cyberlanc3r
open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters Moderate
CVE-2026-54495 was published for github.com/open-feature/open-feature-operator (Go) Jul 15, 2026
0xVijay Credited to 0xVijay
django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization High
GHSA-r3hx-x5rh-p9vv was published for django-haystack (pip) Jul 15, 2026
serde_with: KeyValueMap serialization panics on empty sequence or map entries Moderate
GHSA-7gcf-g7xr-8hxj was published for serde_with (Rust) Jul 15, 2026
7thParkk Credited to 7thParkk
websocket-driver: Resource limit bypass via message compression Moderate
CVE-2026-54490 was published for websocket-driver (npm) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Message corruption via abuse of protocol length headers Critical
CVE-2026-54466 was published for websocket-driver (npm) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Memory exhaustion in HTTP header parser Moderate
CVE-2026-54465 was published for websocket-driver (RubyGems) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Resource limit bypass via message compression Moderate
CVE-2026-54464 was published for websocket-driver (RubyGems) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Memory exhaustion via abuse of protocol length headers Moderate
CVE-2026-54463 was published for websocket-driver (RubyGems) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
Pixeldrain API key shared with unverified thirdparty sites Moderate
CVE-2026-54254 was published for cyberdrop-dl-patched (pip) Jul 15, 2026
NTFSvolume Credited to NTFSvolume
TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint High
CVE-2026-54457 was published for tensorzero (pip) Jul 15, 2026
geo-chen Credited to geo-chen
ProTip! Advisories are also available from the GraphQL API