Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,040 advisories

Loading
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` Moderate
CVE-2026-48808 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters Moderate
CVE-2026-48807 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys Moderate
CVE-2026-48806 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook High
CVE-2026-49824 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook High
CVE-2026-49823 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation High
CVE-2026-49473 was published for @cedar-policy/authorization-for-expressjs (npm) Jun 30, 2026
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement Critical
CVE-2026-46595 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
Mattermost allows authenticated users to gain access to private repositories Moderate
CVE-2026-28735 was published for github.com/mattermost/mattermost-plugin-github (Go) May 26, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context Moderate
CVE-2026-53521 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
baradika Credited to baradika
Authelia has an Edge Case Access Control Rule Mismatch Low
CVE-2026-48794 was published for github.com/authelia/authelia/v4 (Go) Jun 26, 2026
j0hndo Credited to j0hndo, james-d-elliott, Crowley723, and nightah james-d-elliott james-d-elliott
Crowley723 Crowley723 nightah nightah
Blnk has an API key authorization bypass in owner and scope enforcement High
GHSA-wcr3-9x4c-f5gj was published for github.com/blnkfinance/blnk (Go) Jun 26, 2026
Shivam8584 Credited to Shivam8584
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources Moderate
CVE-2026-49288 was published for statamic/cms (Composer) Jun 26, 2026
offset Credited to offset, Eszh, and geo-chen Eszh Eszh
geo-chen geo-chen
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint Moderate
CVE-2026-41262 was published for github.com/fleetdm/fleet/v4 (Go) Jun 26, 2026
offset Credited to offset
sour-exploit Credited to sour-exploit
ImageMagick: Policy Bypass can read disallowed files via symlink Moderate
CVE-2026-49219 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 25, 2026
GameZoneHacker Credited to GameZoneHacker
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission High
CVE-2026-48508 was published for lemur (pip) Jun 25, 2026
hits313 Credited to hits313
LangGraph SDK has unsafe URL path construction Moderate
CVE-2026-48776 was published for langgraph-sdk (pip) Jun 25, 2026
pucagit Credited to pucagit
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php High
CVE-2026-8350 was published for concrete5/concrete5 (Composer) May 21, 2026
LiteLLM allows a user to modify their own user_role via the /user/update endpoint High
CVE-2026-47102 was published for litellm (pip) May 21, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users High
CVE-2026-48507 was published for snipe/snipe-it (Composer) Jun 23, 2026
louissanchez-vokecyber Credited to louissanchez-vokecyber and whatisproblem whatisproblem whatisproblem
ProTip! Advisories are also available from the GraphQL API