GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
3,625 advisories
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Moderate
CVE-2026-55163
was published
for
lemur
(pip)
Jun 25, 2026
ImageMagick: Policy Bypass can read disallowed files via symlink
Moderate
CVE-2026-49219
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 25, 2026
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
High
CVE-2026-48508
was published
for
lemur
(pip)
Jun 25, 2026
LangGraph SDK has unsafe URL path construction
Moderate
CVE-2026-48776
was published
for
langgraph-sdk
(pip)
Jun 25, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
High
CVE-2026-48507
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Moderate
CVE-2026-48493
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties
Moderate
CVE-2026-54517
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has a @JsonView bypass for unwrapped creator parameters
Moderate
CVE-2026-54518
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Gogs's write-level collaborators can mutate admin-only repository settings via API
High
CVE-2026-52808
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected
Low
CVE-2026-55866
was published
for
github.com/authzed/spicedb
(Go)
Jun 19, 2026
OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808
Low
CVE-2026-55774
was published
for
github.com/openbao/openbao
(Go)
Jun 19, 2026
containerd CRI checkpoint restore CDI annotation smuggling
High
CVE-2026-53492
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
parse-server: Server option routeAllowList is bypassable through batch sub-requests
Moderate
CVE-2026-50008
was published
for
parse-server
(npm)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API