Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,376 advisories

Loading
safeurl is Missing IPv6 CIDR Ranges in Blocklist Moderate
CVE-2026-54452 was published for github.com/doyensec/safeurl (Go) Jul 15, 2026
tonghuaroot Credited to tonghuaroot
vittorio-prodomo Credited to vittorio-prodomo, mo-getter, benjaminpkane, kevin-dimichel, AdonaiVera, and AAtomical mo-getter mo-getter
benjaminpkane benjaminpkane kevin-dimichel kevin-dimichel AdonaiVera AdonaiVera AAtomical AAtomical
AgenticWizard Credited to AgenticWizard
tonghuaroot Credited to tonghuaroot, rdimitrov, and JAORMX rdimitrov rdimitrov
JAORMX JAORMX
MantisBT: Stored XSS in print_all_bug_page_word.php High
CVE-2026-62944 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
dracosectech-code Credited to dracosectech-code and dregad dregad dregad
MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs Moderate
CVE-2026-52883 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
byteoverride Credited to byteoverride and dregad dregad dregad
MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters Moderate
CVE-2026-52882 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
dregad Credited to dregad
MantisBT: Reflected XSS in admin/install.php via unescaped printf Critical
CVE-2026-52881 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
MantisBT: Reflected XSS in admin/install.php Critical
CVE-2026-52847 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail Moderate
CVE-2026-50552 was published for phanan/koel (Composer) Jul 15, 2026
Yunkaiwjs Credited to Yunkaiwjs
Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths High
CVE-2026-54491 was published for phanan/koel (Composer) Jul 15, 2026
kiffa-australis256 Credited to kiffa-australis256
Protobuf: Unbounded recursion depth in embedded-message decoding High
CVE-2026-54451 was published for protobuf (Erlang) Jul 15, 2026
PJUllrich Credited to PJUllrich and whatyouhide whatyouhide whatyouhide
LangBot: Authenticated RCE Via MCP Configuration High
CVE-2026-54449 was published for langbot (pip) Jul 15, 2026
MosesOX Credited to MosesOX
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store High
CVE-2026-54447 was published for garminconnect (pip) Jul 15, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
Koel has SSRF through Authenticated Subsonic podcast feed URLs Moderate
GHSA-8q6q-m837-fv64 was published for phanan/koel (Composer) Jul 15, 2026
DavidCarliez Credited to DavidCarliez
Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations High
CVE-2026-54493 was published for phanan/koel (Composer) Jul 15, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga
Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation Moderate
CVE-2026-54492 was published for phanan/koel (Composer) Jul 15, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga
MantisBT: REST API unauthorized Issue status change Moderate
CVE-2026-49280 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
dregad Credited to dregad and mamdouhmahfouz mamdouhmahfouz mamdouhmahfouz
MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php High
CVE-2026-49273 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator Critical
CVE-2026-47156 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay, dregad, tyage, voraci0us, chndlrx, and bharatdevasani dregad dregad
tyage tyage voraci0us voraci0us chndlrx chndlrx bharatdevasani bharatdevasani
MantisBT: SQL Injection via history_order Configuration Value High
CVE-2026-47142 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE Critical
GHSA-hgjx-r89m-m7v4 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
aslein1413-sys Credited to aslein1413-sys
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode High
CVE-2026-54446 was published for netlicensing-mcp (pip) Jul 14, 2026
EQSTLab Credited to EQSTLab
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend High
CVE-2026-61549 was published for github.com/woodpecker-ci/woodpecker (Go) Jul 14, 2026
AnuragBathani Credited to AnuragBathani
ProTip! Advisories are also available from the GraphQL API