Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

165 advisories

Loading
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
CVE-2026-54685 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
Filament: Timing-based user enumeration on login page Moderate
CVE-2026-48166 was published for filament/filament (Composer) Jun 23, 2026
wsparks-vc Credited to wsparks-vc and danharrin danharrin danharrin
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle Moderate
GHSA-5739-39v2-5754 was published for web-token/jwt-framework (Composer) Jun 18, 2026
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames Low
CVE-2026-48011 was published for shopware/core (Composer) Jun 4, 2026
NielDuysters Credited to NielDuysters and tbrankaer tbrankaer tbrankaer
Django has Observable Timing Discrepancy Low
CVE-2025-13473 was published for Django (pip) Feb 3, 2026
NocoDB: User Enumeration via Sign-In Timing Low
CVE-2026-47380 was published for nocodb (npm) Jun 5, 2026
AndyAnh174 Credited to AndyAnh174
Apache Tomcat - AJP secret compared in non-constant time Low
CVE-2026-43514 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
pyquorum: Timing side‑channel in mul_mod Moderate
CVE-2026-44368 was published for pyquorum (pip) May 6, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
Sync-in Server has Username Enumeration via Timing Attack Moderate
CVE-2026-41161 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
ProTip! Advisories are also available from the GraphQL API