Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

94 advisories

Loading
@agenticmail/mcp Missing Authentication for Critical Function High
GHSA-63gr-g7jc-v8rg was published for @agenticmail/mcp (npm) Jun 1, 2026
Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint High
CVE-2026-45332 was published for automad/automad (Composer) May 27, 2026
lorenzocamilli Credited to lorenzocamilli
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives High
CVE-2026-46612 was published for github.com/fission/fission (Go) May 21, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS High
GHSA-vrxg-gm77-7q5g was published for windows-mcp (pip) May 21, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection High
CVE-2026-45327 was published for github.com/DatanoiseTV/tinyice (Go) May 18, 2026
mem0 server lacks authentication and authorization controls for its memory management API endpoints High
CVE-2026-31240 was published for mem0ai (pip) May 12, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` High
CVE-2026-45088 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution High
CVE-2026-44338 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools High
CVE-2026-44895 was published for @yoda.digital/gitlab-mcp-server (npm) May 9, 2026
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating High
CVE-2026-44328 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf) High
CVE-2026-44321 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path High
CVE-2026-44320 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense High
GHSA-52cq-7v8r-62c6 was published for gmaps-mcp (pip) May 8, 2026
DevSpace UI Server WebSocket CheckOrigin does not validate source High
CVE-2026-42283 was published for github.com/loft-sh/devspace (Go) May 6, 2026
b0b0haha Credited to b0b0haha
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover High
CVE-2026-42222 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
Kakeru-Ishii Credited to Kakeru-Ishii
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim High
CVE-2026-42221 was published for github.com/0xJacky/Nginx-UI (Go) May 6, 2026
R1ZZG0D Credited to R1ZZG0D
Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls High
CVE-2026-42856 was published for network-ai (npm) May 5, 2026
232-323 Credited to 232-323 and 2REBCat 2REBCat 2REBCat
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
gabiudrescu Credited to gabiudrescu
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode High
GHSA-xfqj-r5qw-8g4j was published for @paperclipai/server (npm) Apr 16, 2026
sagilayani Credited to sagilayani
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise High
CVE-2026-41273 was published for flowise (npm) Apr 16, 2026
melonattacker Credited to melonattacker
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads High
CVE-2026-40344 was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database