GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,040 advisories
Filter by severity
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Moderate
CVE-2026-48808
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters
Moderate
CVE-2026-48807
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Moderate
CVE-2026-48806
was published
for
twig/twig
(Composer)
Jun 30, 2026
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
High
CVE-2026-49473
was published
for
@cedar-policy/authorization-for-expressjs
(npm)
Jun 30, 2026
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Critical
CVE-2026-46595
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
Mattermost allows authenticated users to gain access to private repositories
Moderate
CVE-2026-28735
was published
for
github.com/mattermost/mattermost-plugin-github
(Go)
May 26, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context
Moderate
CVE-2026-53521
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Authelia has an Edge Case Access Control Rule Mismatch
Low
CVE-2026-48794
was published
for
github.com/authelia/authelia/v4
(Go)
Jun 26, 2026
Blnk has an API key authorization bypass in owner and scope enforcement
High
GHSA-wcr3-9x4c-f5gj
was published
for
github.com/blnkfinance/blnk
(Go)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Moderate
CVE-2026-49397
was published
for
github.com/nezhahq/nezha
(Go)
Jun 10, 2026
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
Moderate
CVE-2026-47120
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
High
CVE-2026-46717
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Moderate
CVE-2026-41262
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 26, 2026
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Moderate
CVE-2026-55163
was published
for
lemur
(pip)
Jun 25, 2026
ImageMagick: Policy Bypass can read disallowed files via symlink
Moderate
CVE-2026-49219
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 25, 2026
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
High
CVE-2026-48508
was published
for
lemur
(pip)
Jun 25, 2026
LangGraph SDK has unsafe URL path construction
Moderate
CVE-2026-48776
was published
for
langgraph-sdk
(pip)
Jun 25, 2026
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php
High
CVE-2026-8350
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
LiteLLM allows a user to modify their own user_role via the /user/update endpoint
High
CVE-2026-47102
was published
for
litellm
(pip)
May 21, 2026
LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
High
CVE-2026-47101
was published
for
litellm
(pip)
May 21, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
High
CVE-2026-48507
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
ProTip!
Advisories are also available from the
GraphQL API