Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,449 advisories

Loading
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access Critical
CVE-2026-49445 was published for github.com/cilium/cilium (Go) Jul 6, 2026
0xch4z Credited to 0xch4z and moemen moemen moemen
Formie Hidden field defaults vulnerable to Server-Side Template Injection Critical
CVE-2026-52889 was published for verbb/formie (Composer) Jul 6, 2026
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Critical
CVE-2026-49352 was published for 9router (npm) Jul 2, 2026
kaito7926 Credited to kaito7926
LaunchServer FileServerHandler has an unauthenticated path traversal issue Critical
CVE-2026-54617 was published for pro.gravit.launcher:launchserver-api (Maven) Jul 2, 2026
getclaude Credited to getclaude
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection Critical
CVE-2026-52830 was published for fast-mcp-telegram (pip) Jul 2, 2026
DavidCarliez Credited to DavidCarliez
9router: Missing Authorization and OS Command Injection Critical
CVE-2026-59800 was published for 9router (npm) Jul 2, 2026
vcth4nh Credited to vcth4nh and Ductinn Ductinn Ductinn
Mautic vulnerable to Path Traversal via Campaign Import Critical
CVE-2026-9559 was published for mautic/core (Composer) Jul 2, 2026
nglong05 Credited to nglong05, f3nrir77, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing f3nrir77 f3nrir77
escopecz escopecz patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic has Server-Side Template Injection (SSTI) in Theme Templates Critical
CVE-2026-9558 was published for mautic/core (Composer) Jul 2, 2026
onurcangnc Credited to onurcangnc, xfer0, Entropt, patrykgruszka, escopecz, LeuchtfeuerDigitalMarketing, and NumberOreo1 xfer0 xfer0
Entropt Entropt patrykgruszka patrykgruszka escopecz escopecz LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing NumberOreo1 NumberOreo1
zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser Critical
CVE-2026-52735 was published for zebra-script (Rust) Jul 2, 2026
samsulselfut Credited to samsulselfut and mpguerra mpguerra mpguerra
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy Critical
GHSA-w4v6-g3wm-w36c was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete Critical
CVE-2026-50027 was published for mcp-memory-service (pip) Jul 2, 2026
EQSTLab Credited to EQSTLab
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header Critical
CVE-2026-53943 was published for ghost (npm) Jul 1, 2026
Crypto-Cat Credited to Crypto-Cat
Rancher has Privilege Escalation from Project Owner to Host Critical
CVE-2026-41052 was published for github.com/rancher/rancher (Go) Jul 1, 2026
MMunier Credited to MMunier and Trolldemorted Trolldemorted Trolldemorted
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer Critical
CVE-2026-44935 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Rancher vulnerable to command injection through unsanitized YAML parameter Critical
CVE-2026-44939 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Ibonok Credited to Ibonok
QUIC has Broken TLS verification Critical
CVE-2026-49457 was published for quic (Erlang) Jul 1, 2026
benmmurphy Credited to benmmurphy
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation Critical
CVE-2026-50566 was published for github.com/fission/fission (Go) Jun 30, 2026
HiyokoSauna37 Credited to HiyokoSauna37 and sanketsudake sanketsudake sanketsudake
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape Critical
CVE-2026-50564 was published for github.com/fission/fission (Go) Jun 30, 2026
0xVijay Credited to 0xVijay and sanketsudake sanketsudake sanketsudake
Fission Container Executor Function PodSpec Injection Leading to Node Escape Critical
CVE-2026-50563 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover Critical
CVE-2026-50545 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Critical
GHSA-q6xx-5vr8-p898 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
ProTip! Advisories are also available from the GraphQL API