Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

89 advisories

Loading
SafeInstall agent guard shell parsing can miss raw package execution High
GHSA-xrmc-c5cg-rv7x was published for safeinstall-cli (npm) Jul 10, 2026
Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering High
CVE-2026-48595 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Authelia has an Edge Case Access Control Rule Mismatch Low
CVE-2026-48794 was published for github.com/authelia/authelia/v4 (Go) Jun 26, 2026
j0hndo Credited to j0hndo, james-d-elliott, Crowley723, and nightah james-d-elliott james-d-elliott
Crowley723 Crowley723 nightah nightah
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter Moderate
CVE-2026-49336 was published for @microsoft/kiota-http-fetchlibrary (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot, baywet, and adrian05-ms baywet baywet
adrian05-ms adrian05-ms
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories High
CVE-2026-54528 was published for jupyterlab-git (pip) Jun 19, 2026
AAtomical Credited to AAtomical, Yann-P, and jtpio Yann-P Yann-P
jtpio jtpio
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247 Low
GHSA-8678-w3jw-xfc2 was published for nokogiri (RubyGems) Jun 19, 2026
bilerden Credited to bilerden
OpenFGA Improper Policy Enforcement Low
CVE-2026-55170 was published for github.com/openfga/openfga (Go) Jun 18, 2026
sahajamoth Credited to sahajamoth
MCPVault: PathFilter restricted-directory deny-list bypass via case and trailing dot/space equivalence Moderate
GHSA-j99q-93c9-h869 was published for @bitbonsai/mcpvault (npm) Jun 18, 2026
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-47346 was published for typo3/cms-core (Composer) Jun 12, 2026
Authelia Missing Username Canonicalization in Basic Auth (LDAP) Low
CVE-2026-47203 was published for github.com/authelia/authelia/v4 (Go) May 29, 2026
Nadav0077 Credited to Nadav0077, james-d-elliott, nightah, and Crowley723 james-d-elliott james-d-elliott
nightah nightah Crowley723 Crowley723
tuf has platform-dependent delegation path matching Moderate
GHSA-qp9x-wp8f-qgjj was published for tuf (pip) May 28, 2026
kodareef5 Credited to kodareef5
Envoy AI Proxy - MCP Message Smuggling Vulnerability Moderate
GHSA-4gph-2hhr-5mwg was published for github.com/envoyproxy/ai-gateway (Go) May 19, 2026
anaximand3r Credited to anaximand3r
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering Critical
CVE-2026-47323 was published for org.apache.camel:camel-cxf-rest (Maven) May 19, 2026
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files High
CVE-2026-45135 was published for github.com/caddyserver/caddy/v2 (Go) May 18, 2026
dunglas Credited to dunglas, KC1zs4, and chenjj KC1zs4 KC1zs4
chenjj chenjj
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
Apache Tomcat: LockOutRealm treats user names as case-sensitive High
CVE-2026-43513 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Camel has an incomplete fix for CVE-2025-27636 Critical
CVE-2026-40453 was published for org.apache.camel:camel-coap (Maven) Apr 27, 2026
kmagdziarz Credited to kmagdziarz
Heimdall: Case-sensitive host matching may lead to policy bypass High
CVE-2026-42273 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
CVE-2026-42272 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Multiple security fixes in justhtml Low
GHSA-4p64-v8f5-r2gx was published for justhtml (pip) Apr 14, 2026
EmilStenstrom Credited to EmilStenstrom
ProTip! Advisories are also available from the GraphQL API