Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,776 advisories

Loading
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` High
CVE-2026-53727 was published for css_parser (RubyGems) Jul 9, 2026
JLLeitschuh Credited to JLLeitschuh
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-49485 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) Jul 9, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p) High
CVE-2026-50553 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
tonghuaroot Credited to tonghuaroot, Yunkaiwjs, and enchant97 Yunkaiwjs Yunkaiwjs
enchant97 enchant97
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser High
CVE-2026-49477 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists High
CVE-2026-49476 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths High
GHSA-52vm-mxx8-f227 was published for phantom-audio (pip) Jul 9, 2026
leesaenz Credited to leesaenz
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS High
GHSA-387m-935m-c4vw was published for io.micronaut:micronaut-http-client (Maven) Jul 9, 2026
sdelamo Credited to sdelamo
Goh3st Credited to Goh3st
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak High
CVE-2026-49464 was published for nl.nl-portal:taak (Maven) Jul 8, 2026
DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN High
CVE-2026-49832 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests High
CVE-2026-50197 was published for github.com/zalando/skipper (Go) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise High
CVE-2026-53553 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
What-canIsay Credited to What-canIsay
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice) High
CVE-2026-53530 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers High
GHSA-j8v8-g9cx-5qf4 was published for @better-auth/scim (npm) Jul 7, 2026
Jvr2022 Credited to Jvr2022
chdanielmueller Credited to chdanielmueller
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
subhanUmer Credited to subhanUmer
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp High
GHSA-86j7-9j95-vpqj was published for better-auth (npm) Jul 7, 2026
hillalee Credited to hillalee
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages High
CVE-2026-26193 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI vulnerable to Stored XSS via iFrame in citations model High
CVE-2026-26192 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
ProTip! Advisories are also available from the GraphQL API