GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
133 advisories
Filter by severity
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55487
was published
for
pnpm
(npm)
Jun 26, 2026
chi Middleware Vulnerable to Potential IP Spoofing via `X-Forwarded-For` Header in `Request.RemoteAddr` Resolution
High
GHSA-9g5q-2w5x-hmxf
was published
for
github.com/go-chi/chi/middleware
(Go)
Jun 25, 2026
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Moderate
CVE-2026-46611
was published
for
glances
(pip)
Jun 22, 2026
Anki's local HTTP server does not sufficiently validate requests
High
GHSA-869j-r97x-hx2g
was published
for
aqt
(pip)
Jun 19, 2026
LangSmith SDK TracingMiddleware: Arbitrary server-side file read
High
GHSA-f4xh-w4cj-qxq8
was published
for
langsmith
(pip)
Jun 19, 2026
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
High
GHSA-v3f4-w7r7-v3hm
was published
for
@zenalexa/unicli
(npm)
Jun 19, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
High
CVE-2026-55660
was published
for
@tinacms/app
(npm)
Jun 19, 2026
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
Critical
CVE-2026-55791
was published
for
craftcms/cms
(Composer)
Jun 19, 2026
Blocky DNSSEC validation bypass and validation-cache scope pollution
High
GHSA-x845-2f78-7v36
was published
for
github.com/0xERR0R/blocky
(Go)
Jun 19, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
High
GHSA-v52w-28xh-v562
was published
for
@kozou/api
(npm)
Jun 19, 2026
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts
Moderate
CVE-2026-55767
was published
for
guzzlehttp/guzzle
(Composer)
Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
High
CVE-2026-6734
was published
for
undici
(npm)
Jun 19, 2026
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
High
GHSA-vmf9-xx9w-86wx
was published
for
praisonai
(pip)
Jun 18, 2026
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
Moderate
CVE-2026-55669
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
High
CVE-2026-54007
was published
for
open-webui
(pip)
Jun 17, 2026
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
High
CVE-2026-50168
was published
for
@angular/platform-server
(npm)
Jun 15, 2026
Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation
High
GHSA-j9gf-vw2f-9hrw
was published
for
com.appsmith:server
(Maven)
Jun 12, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
React Router has CSRF issue in Action/Server Action Request Processing
Moderate
CVE-2026-22030
was published
for
@remix-run/server-runtime
(npm)
Jan 8, 2026
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Moderate
CVE-2026-45021
was published
for
github.com/kumahq/kuma
(Go)
May 14, 2026
Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication
High
CVE-2026-44985
was published
for
github.com/amir20/dozzle
(Go)
May 11, 2026
ProTip!
Advisories are also available from the
GraphQL API