GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
26 advisories
Filter by severity
Identity Spoofing in libp2p-secio
Critical
GHSA-rch7-f4h5-x9rj
was published
for
libp2p-secio
(npm)
Aug 23, 2019
Argo CD will blindly trust JWT claims if anonymous access is enabled
Critical
CVE-2022-29165
was published
for
github.com/argoproj/argo-cd
(Go)
May 24, 2022
Authentication Bypass in dex
Critical
CVE-2020-27847
was published
for
github.com/dexidp/dex
(Go)
Dec 20, 2021
Implementation trusts the "me" field returned by the authorization server without verifying it
Critical
GHSA-mjcr-rqjg-rhg3
was published
for
datasette-indieauth
(pip)
Nov 24, 2020
python-jwt vulnerable to token forgery with new claims
Critical
CVE-2022-39227
was published
for
python-jwt
(pip)
Sep 21, 2022
Mellium allows Authentication Bypass by Spoofing
Critical
CVE-2024-46957
was published
for
mellium.im/xmpp
(Go)
Sep 25, 2024
Grafana vulnerable to Authentication Bypass by Spoofing
Critical
CVE-2023-3128
was published
for
github.com/grafana/grafana
(Go)
Jun 22, 2023
The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass
Critical
CVE-2025-24894
was published
for
SPID.AspNetCore.Authentication
(NuGet)
Feb 18, 2025
AspNetCore Remote Authenticator for CIE3.0 Allows SAML Response Signature Verification Bypass
Critical
CVE-2025-24895
was published
for
CIE.AspNetCore.Authentication
(NuGet)
Feb 18, 2025
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
Critical
CVE-2025-54576
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Jul 30, 2025
HydrAIDE Authentication Bypass Vulnerability
Critical
GHSA-qp7j-x725-g67f
was published
for
github.com/hydraide/hydraide
(Go)
Aug 19, 2025
Akka.Remote TLS did not properly implement certificate-based authentication
Critical
CVE-2025-61778
was published
for
Akka.Cluster
(NuGet)
Oct 7, 2025
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
Critical
CVE-2026-25938
was published
for
fuxa-server
(npm)
Feb 10, 2026
Nextcloud Talk allowlist bypass via actor.name display name spoofing
Critical
CVE-2026-28474
was published
for
@openclaw/nextcloud-talk
(npm)
Feb 17, 2026
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode
Critical
CVE-2026-34457
was published
for
github.com/oauth2-proxy/oauth2-proxy
(Go)
Apr 14, 2026
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
Critical
CVE-2026-40575
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Apr 15, 2026
Codechecker has an authentication bypass for certain API calls
Critical
CVE-2026-25660
was published
for
codechecker
(pip)
May 5, 2026
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation
Critical
CVE-2026-27478
was published
for
io.unitycatalog:unitycatalog-server
(Maven)
May 11, 2026
Sentry's improper authentication on SAML SSO process allows user identity linking
Critical
CVE-2026-42354
was published
for
sentry
(pip)
Apr 30, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Critical
GHSA-wf8q-wvv8-p8jf
was published
for
@samanhappy/mcphub
(npm)
May 14, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
LiteLLM: Authentication Bypass via Host Header Injection
Critical
CVE-2026-49468
was published
for
litellm
(pip)
Jun 16, 2026
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Critical
CVE-2026-54782
was published
for
CoreWCF.Primitives
(NuGet)
Jun 19, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
Critical
CVE-2026-58399
was published
for
@acastellon/auth
(npm)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API