Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

361 advisories

Loading
fabpot Credited to fabpot
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook High
CVE-2026-49824 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook High
CVE-2026-49823 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation High
CVE-2026-49473 was published for @cedar-policy/authorization-for-expressjs (npm) Jun 30, 2026
Blnk has an API key authorization bypass in owner and scope enforcement High
GHSA-wcr3-9x4c-f5gj was published for github.com/blnkfinance/blnk (Go) Jun 26, 2026
Shivam8584 Credited to Shivam8584
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission High
CVE-2026-48508 was published for lemur (pip) Jun 25, 2026
hits313 Credited to hits313
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php High
CVE-2026-8350 was published for concrete5/concrete5 (Composer) May 21, 2026
LiteLLM allows a user to modify their own user_role via the /user/update endpoint High
CVE-2026-47102 was published for litellm (pip) May 21, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users High
CVE-2026-48507 was published for snipe/snipe-it (Composer) Jun 23, 2026
louissanchez-vokecyber Credited to louissanchez-vokecyber and whatisproblem whatisproblem whatisproblem
Gogs's write-level collaborators can mutate admin-only repository settings via API High
CVE-2026-52808 was published for gogs.io/gogs (Go) Jun 23, 2026
bugbunny-research Credited to bugbunny-research
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA) High
GHSA-6gqw-jqv7-v88m was published for stigmem-node (pip) Jun 19, 2026
containerd CRI checkpoint restore CDI annotation smuggling High
CVE-2026-53492 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
robertprast Credited to robertprast
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns High
CVE-2026-53853 was published for openclaw (npm) Jun 18, 2026
amwhoi Credited to amwhoi
OpenClaw: Shell positional parameters could weaken strict inline-eval checks High
CVE-2026-53855 was published for openclaw (npm) Jun 18, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
rexpository Credited to rexpository
npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining High
GHSA-5jv7-2mjm-h6qj was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentLoop onToolCall approval runs after tool execution High
GHSA-h2w2-v7j6-xqm4 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining High
GHSA-vjv9-7m7j-h833 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
rexpository Credited to rexpository
PraisonAI Code agent tools fail open without a workspace boundary High
GHSA-gcq3-mfvh-3x25 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Compute-bridged file tools allow shell command injection High
GHSA-w6h2-fr4q-xvxv was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI recipe.run_stream skips dangerous-tool policy enforcement High
GHSA-v847-hxxw-3pxg was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
ProTip! Advisories are also available from the GraphQL API