GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,040 advisories
Filter by severity
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Moderate
CVE-2026-48808
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters
Moderate
CVE-2026-48807
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Moderate
CVE-2026-48806
was published
for
twig/twig
(Composer)
Jun 30, 2026
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
High
CVE-2026-49473
was published
for
@cedar-policy/authorization-for-expressjs
(npm)
Jun 30, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context
Moderate
CVE-2026-53521
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Authelia has an Edge Case Access Control Rule Mismatch
Low
CVE-2026-48794
was published
for
github.com/authelia/authelia/v4
(Go)
Jun 26, 2026
Blnk has an API key authorization bypass in owner and scope enforcement
High
GHSA-wcr3-9x4c-f5gj
was published
for
github.com/blnkfinance/blnk
(Go)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Moderate
CVE-2026-41262
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 26, 2026
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Critical
CVE-2026-46595
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Moderate
CVE-2026-55163
was published
for
lemur
(pip)
Jun 25, 2026
ImageMagick: Policy Bypass can read disallowed files via symlink
Moderate
CVE-2026-49219
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 25, 2026
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
High
CVE-2026-48508
was published
for
lemur
(pip)
Jun 25, 2026
LangGraph SDK has unsafe URL path construction
Moderate
CVE-2026-48776
was published
for
langgraph-sdk
(pip)
Jun 25, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
High
CVE-2026-48507
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Moderate
CVE-2026-48493
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties
Moderate
CVE-2026-54517
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has a @JsonView bypass for unwrapped creator parameters
Moderate
CVE-2026-54518
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Gogs's write-level collaborators can mutate admin-only repository settings via API
High
CVE-2026-52808
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals
Moderate
GHSA-hv6h-hc26-q48p
was published
for
surrealdb
(Rust)
Jun 19, 2026
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)
High
GHSA-6gqw-jqv7-v88m
was published
for
stigmem-node
(pip)
Jun 19, 2026
stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)
High
GHSA-xhv3-q4xx-349r
was published
for
stigmem-node
(pip)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API