Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

657 advisories

Loading
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion Moderate
CVE-2026-48529 was published for github.com/github/github-mcp-server (Go) Jun 25, 2026
hewei-gikaku Credited to hewei-gikaku, matte1782, kerobbi, and JoannaaKL matte1782 matte1782
kerobbi kerobbi JoannaaKL JoannaaKL
Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion High
CVE-2026-52810 was published for gogs.io/gogs (Go) Jun 23, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF High
CVE-2026-50132 was published for @budibase/server (npm) Jun 22, 2026
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint Moderate
CVE-2026-31978 was published for motioneye (pip) Jun 22, 2026
Neosprings Credited to Neosprings, blue-pho3nix, and MichaIng blue-pho3nix blue-pho3nix
MichaIng MichaIng
OpenCTI May Bypass Introspection Restriction Moderate
CVE-2024-37155 was published for pycti (pip) Jun 22, 2026
R-s0n Credited to R-s0n
OpenClaw: Shell positional parameters could weaken strict inline-eval checks High
CVE-2026-53855 was published for openclaw (npm) Jun 18, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers Low
CVE-2026-55670 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
livio-a Credited to livio-a and emgrav emgrav emgrav
OpenClaw: Pairing-scoped device session could restore revoked node token authority High
CVE-2026-53843 was published for openclaw (npm) Jun 18, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion High
CVE-2026-54012 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, and Classic298 5yu4n 5yu4n
Classic298 Classic298
Open WebUI: Forged chat-file link allows cross-user file read and deletion High
CVE-2026-54010 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, Classic298, and oxsignal 5yu4n 5yu4n
Classic298 Classic298 oxsignal oxsignal
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High
CVE-2026-54305 was published for n8n (npm) Jun 16, 2026
Solidscripting Credited to Solidscripting
Caddy: Windows `file_server` path authorization bypass via encoded backslash High
CVE-2026-52844 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks Moderate
CVE-2026-49411 was published for deno (Rust) Jun 16, 2026
sugarless1101 Credited to sugarless1101
n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint Moderate
GHSA-hv7x-3x78-gx53 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking High
CVE-2026-44249 was published for io.netty:netty-handler (Maven) Jun 8, 2026
violetagg Credited to violetagg
vantage6 node has an Improper Access Control issue Moderate
CVE-2026-54533 was published for vantage6 (pip) Jun 5, 2026
NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints Moderate
CVE-2026-47279 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction High
CVE-2026-47261 was published for wasmtime-wasi (Rust) Jun 5, 2026
shumbo Credited to shumbo
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership High
CVE-2026-47405 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database