Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,793 advisories

Loading
OpenClaw: Message read actions could skip channel allowlist checks High
CVE-2026-53815 was published for openclaw (npm) Jul 2, 2026
samchodev Credited to samchodev
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token High
CVE-2026-50143 was published for @apify/actors-mcp-server (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags High
CVE-2026-50138 was published for goshs.de/goshs/v2 (Go) Jul 1, 2026
black-shadow-007 Credited to black-shadow-007
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
Keycloak has privilege escalation via improper scope mapping enforcement High
CVE-2026-9795 was published for org.keycloak:keycloak-services (Maven) Jul 1, 2026
Rancher has over-inclusive team membership expansion in GitHub App authentication provider High
CVE-2026-41053 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components High
CVE-2026-44937 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent High
CVE-2026-44938 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass High
CVE-2026-49998 was published for github.com/centrifugal/centrifugo (Go) Jul 1, 2026
sondt99 Credited to sondt99
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call High
GHSA-wjjj-24cx-f28g was published for surrealdb (Rust) Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects High
GHSA-q729-696q-g9pq was published for surrealdb (Rust) Jul 1, 2026
DarkaMaul Credited to DarkaMaul
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation High
GHSA-4vgr-h27g-cf9p was published for surrealdb (Rust) Jul 1, 2026
addcontent Credited to addcontent
addcontent Credited to addcontent
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced High
CVE-2026-48815 was published for sigstore (npm) Jul 1, 2026
Jvr2022 Credited to Jvr2022, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection High
CVE-2026-49987 was published for repomix (npm) Jul 1, 2026
kakashi-kx Credited to kakashi-kx
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
fabpot Credited to fabpot
Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR` High
CVE-2026-49986 was published for neuro-cortex-memory (pip) Jul 1, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
wetty vulnerable to DOM XSS via file-download filename High
CVE-2026-49864 was published for wetty (npm) Jul 1, 2026
Dredsen Credited to Dredsen
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback High
CVE-2026-49857 was published for auth-fetch-mcp (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field High
CVE-2026-46487 was published for org.geonetwork-opensource:geonetwork (Maven) Jul 1, 2026
jrdnull Credited to jrdnull and juanluisrp juanluisrp juanluisrp
GeoNetwork has reflected XSS through client-side template injection High
CVE-2026-39379 was published for org.geonetwork-opensource:geonetwork (Maven) Jul 1, 2026
Timonheu Credited to Timonheu, juanluisrp, and jodygarnett juanluisrp juanluisrp
jodygarnett jodygarnett
Open Babel has out-of-bounds write in MSI translationVectors[] High
CVE-2022-46295 was published for openbabel (pip) Jul 1, 2026
ProTip! Advisories are also available from the GraphQL API