Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

165 advisories

Loading
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
Filament: Timing-based user enumeration on login page Moderate
CVE-2026-48166 was published for filament/filament (Composer) Jun 23, 2026
wsparks-vc Credited to wsparks-vc and danharrin danharrin danharrin
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle Moderate
GHSA-5739-39v2-5754 was published for web-token/jwt-framework (Composer) Jun 18, 2026
NocoDB: User Enumeration via Sign-In Timing Low
CVE-2026-47380 was published for nocodb (npm) Jun 5, 2026
AndyAnh174 Credited to AndyAnh174
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames Low
CVE-2026-48011 was published for shopware/core (Composer) Jun 4, 2026
NielDuysters Credited to NielDuysters and tbrankaer tbrankaer tbrankaer
Apache Tomcat - AJP secret compared in non-constant time Low
CVE-2026-43514 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
Kanidm has non-constant-time comparison of OAuth2 client_secret Low
GHSA-53hj-r94p-8c8f was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
pyquorum: Timing side‑channel in mul_mod Moderate
CVE-2026-44368 was published for pyquorum (pip) May 6, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
ProTip! Advisories are also available from the GraphQL API