Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,080
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,412
Swift
61
Unreviewed advisories
All unreviewed
5,000+

10,761 advisories

Loading
Capgo before 12.128.2 contains an unauthenticated security definer RPC function... High Unreviewed
CVE-2026-56242 was published Jun 21, 2026
Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated ... Moderate Unreviewed
CVE-2026-56282 was published Jun 20, 2026
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC... Moderate Unreviewed
CVE-2026-56235 was published Jun 20, 2026
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account... Moderate Unreviewed
CVE-2026-56267 was published Jun 20, 2026
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded... Moderate Unreviewed
CVE-2026-56218 was published Jun 20, 2026
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC... High Unreviewed
CVE-2026-56214 was published Jun 20, 2026
Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST... High Unreviewed
CVE-2026-56079 was published Jun 20, 2026
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field Moderate
GHSA-h4h3-3rfj-x6fq was published for surrealdb (Rust) Jun 19, 2026
geo-chen Credited to geo-chen
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change Low
GHSA-97pr-9hgg-3p8r was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default Moderate
GHSA-pr33-38xx-6r26 was published for org.http4k:http4k-core (Maven) Jun 19, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName Moderate
CVE-2026-11769 was published for github.com/grafana/grafana-operator (Go) Jun 19, 2026
cherez0ff Credited to cherez0ff
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN High
CVE-2026-54317 was published for homeassistant (pip) Jun 19, 2026
Har1sh-k Credited to Har1sh-k
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied Moderate
CVE-2026-53725 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil Moderate
CVE-2026-49211 was published for symfony/ux-autocomplete (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints... Moderate Unreviewed
CVE-2026-12620 was published Jun 19, 2026
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server High
CVE-2026-55882 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Exposure of sensitive information to an unauthorized actor in Cost Management Interactive... High Unreviewed
CVE-2026-47633 was published Jun 19, 2026
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default High
GHSA-jxcw-qp4h-6jfq was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI Code agent tools fail open without a workspace boundary High
GHSA-gcq3-mfvh-3x25 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation Critical
GHSA-892r-p3jq-jp24 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage High
GHSA-j7qx-p75m-wp7g was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal High
GHSA-22cj-m4wf-fv2c was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information... Moderate Unreviewed
CVE-2026-12111 was published Jun 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database