GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
92 advisories
Filter by severity
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
Authentication Bypass by Spoofing vulnerability in Apache IoTDB.
Certain Thrift RPC query...
Critical
Unreviewed
CVE-2026-24013
was published
Jul 6, 2026
NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication....
Critical
Unreviewed
CVE-2026-24270
was published
Jul 1, 2026
Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author....
Critical
Unreviewed
CVE-2026-58370
was published
Jun 30, 2026
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Critical
CVE-2026-54782
was published
for
CoreWCF.Primitives
(NuGet)
Jun 19, 2026
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user...
Critical
Unreviewed
CVE-2026-56020
was published
Jun 18, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
Critical
CVE-2026-58399
was published
for
@acastellon/auth
(npm)
Jun 18, 2026
LiteLLM: Authentication Bypass via Host Header Injection
Critical
CVE-2026-49468
was published
for
litellm
(pip)
Jun 16, 2026
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization...
Critical
Unreviewed
CVE-2026-36537
was published
Jun 15, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate...
Critical
Unreviewed
CVE-2026-48567
was published
Jun 5, 2026
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.
Critical
Unreviewed
CVE-2026-8644
was published
Jun 1, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Critical
GHSA-wf8q-wvv8-p8jf
was published
for
@samanhappy/mcphub
(npm)
May 14, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation
Critical
CVE-2026-27478
was published
for
io.unitycatalog:unitycatalog-server
(Maven)
May 11, 2026
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user...
Critical
Unreviewed
CVE-2021-47923
was published
May 10, 2026
A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the...
Critical
Unreviewed
CVE-2026-6213
was published
May 8, 2026
Codechecker has an authentication bypass for certain API calls
Critical
CVE-2026-25660
was published
for
codechecker
(pip)
May 5, 2026
Sentry's improper authentication on SAML SSO process allows user identity linking
Critical
CVE-2026-42354
was published
for
sentry
(pip)
Apr 30, 2026
Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness...
Critical
Unreviewed
CVE-2018-25317
was published
Apr 29, 2026
Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows...
Critical
Unreviewed
CVE-2018-25318
was published
Apr 29, 2026
Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows...
Critical
Unreviewed
CVE-2018-25316
was published
Apr 29, 2026
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
Critical
CVE-2026-40575
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Apr 15, 2026
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode
Critical
CVE-2026-34457
was published
for
github.com/oauth2-proxy/oauth2-proxy
(Go)
Apr 14, 2026
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables...
Critical
Unreviewed
CVE-2025-59706
was published
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API