GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,297
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,793 advisories
Filter by severity
OpenClaw: Message read actions could skip channel allowlist checks
High
CVE-2026-53815
was published
for
openclaw
(npm)
Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
High
CVE-2026-50143
was published
for
@apify/actors-mcp-server
(npm)
Jul 1, 2026
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
High
CVE-2026-50138
was published
for
goshs.de/goshs/v2
(Go)
Jul 1, 2026
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
High
CVE-2026-53712
was published
for
com.ongres.scram:scram-client
(Maven)
Jul 1, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
High
CVE-2026-50163
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9795
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 1, 2026
Rancher has over-inclusive team membership expansion in GitHub App authentication provider
High
CVE-2026-41053
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
High
CVE-2026-44937
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
High
CVE-2026-44938
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
High
CVE-2026-49998
was published
for
github.com/centrifugal/centrifugo
(Go)
Jul 1, 2026
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
High
GHSA-wjjj-24cx-f28g
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects
High
GHSA-q729-696q-g9pq
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation
High
GHSA-4vgr-h27g-cf9p
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
High
GHSA-5qfp-32cf-69jh
was published
for
surrealdb
(Rust)
Jul 1, 2026
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
High
CVE-2026-48815
was published
for
sigstore
(npm)
Jul 1, 2026
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection
High
CVE-2026-49987
was published
for
repomix
(npm)
Jul 1, 2026
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
High
CVE-2026-49981
was published
for
twig/twig
(Composer)
Jul 1, 2026
Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`
High
CVE-2026-49986
was published
for
neuro-cortex-memory
(pip)
Jul 1, 2026
wetty vulnerable to DOM XSS via file-download filename
High
CVE-2026-49864
was published
for
wetty
(npm)
Jul 1, 2026
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
High
CVE-2026-49857
was published
for
auth-fetch-mcp
(npm)
Jul 1, 2026
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field
High
CVE-2026-46487
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
GeoNetwork has reflected XSS through client-side template injection
High
CVE-2026-39379
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
Open Babel has out-of-bounds write in MSI translationVectors[]
High
CVE-2022-46295
was published
for
openbabel
(pip)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API