Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

26 advisories

Loading
Identity Spoofing in libp2p-secio Critical
GHSA-rch7-f4h5-x9rj was published for libp2p-secio (npm) Aug 23, 2019
Argo CD will blindly trust JWT claims if anonymous access is enabled Critical
CVE-2022-29165 was published for github.com/argoproj/argo-cd (Go) May 24, 2022
Authentication Bypass in dex Critical
CVE-2020-27847 was published for github.com/dexidp/dex (Go) Dec 20, 2021
Implementation trusts the "me" field returned by the authorization server without verifying it Critical
GHSA-mjcr-rqjg-rhg3 was published for datasette-indieauth (pip) Nov 24, 2020
python-jwt vulnerable to token forgery with new claims Critical
CVE-2022-39227 was published for python-jwt (pip) Sep 21, 2022
TomTervoort Credited to TomTervoort
Mellium allows Authentication Bypass by Spoofing Critical
CVE-2024-46957 was published for mellium.im/xmpp (Go) Sep 25, 2024
Grafana vulnerable to Authentication Bypass by Spoofing Critical
CVE-2023-3128 was published for github.com/grafana/grafana (Go) Jun 22, 2023
The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass Critical
CVE-2025-24894 was published for SPID.AspNetCore.Authentication (NuGet) Feb 18, 2025
smaury Credited to smaury, Paupu, and fromVeeko Paupu Paupu
fromVeeko fromVeeko
AspNetCore Remote Authenticator for CIE3.0 Allows SAML Response Signature Verification Bypass Critical
CVE-2025-24895 was published for CIE.AspNetCore.Authentication (NuGet) Feb 18, 2025
smaury Credited to smaury, Paupu, and fromVeeko Paupu Paupu
fromVeeko fromVeeko
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion Critical
CVE-2025-54576 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Jul 30, 2025
jennifer-recurity Credited to jennifer-recurity
HydrAIDE Authentication Bypass Vulnerability Critical
GHSA-qp7j-x725-g67f was published for github.com/hydraide/hydraide (Go) Aug 19, 2025
yyewolf Credited to yyewolf
Akka.Remote TLS did not properly implement certificate-based authentication Critical
CVE-2025-61778 was published for Akka.Cluster (NuGet) Oct 7, 2025
Aaronontheweb Credited to Aaronontheweb
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen Credited to wodzen
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
CVE-2026-28474 was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode Critical
CVE-2026-34457 was published for github.com/oauth2-proxy/oauth2-proxy (Go) Apr 14, 2026
iamnoooob Credited to iamnoooob
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Codechecker has an authentication bypass for certain API calls Critical
CVE-2026-25660 was published for codechecker (pip) May 5, 2026
mtolley Credited to mtolley
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation Critical
CVE-2026-27478 was published for io.unitycatalog:unitycatalog-server (Maven) May 11, 2026
lukas-reining Credited to lukas-reining
Sentry's improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-42354 was published for sentry (pip) Apr 30, 2026
jaydns Credited to jaydns
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation Critical
GHSA-wf8q-wvv8-p8jf was published for @samanhappy/mcphub (npm) May 14, 2026
ibrahmsql Credited to ibrahmsql
SillyTavern has Authentication Bypass via SSO Header Injection Critical
CVE-2026-44649 was published for sillytavern (npm) May 12, 2026
kirakira-dev Credited to kirakira-dev
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
LiteLLM: Authentication Bypass via Host Header Injection Critical
CVE-2026-49468 was published for litellm (pip) Jun 16, 2026
LilThawg29 Credited to LilThawg29
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation Critical
CVE-2026-54782 was published for CoreWCF.Primitives (NuGet) Jun 19, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken() Critical
CVE-2026-58399 was published for @acastellon/auth (npm) Jun 18, 2026
hackchang Credited to hackchang
ProTip! Advisories are also available from the GraphQL API