Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

147 advisories

Loading
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
OpenClaw: Matrix allowFrom could bind to mutable display names High
CVE-2026-53811 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Slack allowFrom could bind to mutable display names High
GHSA-c29c-2q9c-pc86 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Control UI locality spoofing could mint a durable admin device token High
CVE-2026-53817 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers High
GHSA-rggc-m335-3wvj was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward Moderate
CVE-2026-45045 was published for github.com/gofiber/fiber/v2 (Go) Jul 2, 2026
TristanInSec Credited to TristanInSec, ReneWerner87, and gaby ReneWerner87 ReneWerner87
gaby gaby
@acastellon/auth: Authentication bypass via spoofable headers in validateToken() Critical
CVE-2026-58399 was published for @acastellon/auth (npm) Jun 18, 2026
hackchang Credited to hackchang
PinkDraconian Credited to PinkDraconian
chi Has an IP Spoofing Vulnerability in `middleware.RealIP` Moderate
GHSA-3fxj-6jh8-hvhx was published for github.com/go-chi/chi/v5/middleware (Go) Jun 25, 2026
Saku0512 Credited to Saku0512
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header High
GHSA-rjr7-jggh-pgcp was published for github.com/go-chi/chi/middleware (Go) Jun 25, 2026
rezmoss Credited to rezmoss
n8n: Webhook Forgery on Github Webhook Trigger Moderate
CVE-2026-56357 was published for n8n (npm) Feb 26, 2026
simonkoeck Credited to simonkoeck
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers High
CVE-2026-25119 was published for gogs.io/gogs (Go) Jun 22, 2026
tenbbughunters Credited to tenbbughunters
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation Critical
CVE-2026-54782 was published for CoreWCF.Primitives (NuGet) Jun 19, 2026
OpenClaw: Discord allowFrom could bind to mutable display names High
CVE-2026-53849 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
Duplicate Advisory: Discord allowFrom could bind to mutable display names High
GHSA-p44v-rx83-vjp4 was published for openclaw (npm) Jun 16, 2026 withdrawn
OpenClaw: Zalo allowFrom could bind to mutable display names High
CVE-2026-53857 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
Duplicate Advisory: Zalo allowFrom could bind to mutable display names High
GHSA-w7m7-3xcf-mp48 was published for openclaw (npm) Jun 16, 2026 withdrawn
Heimdall: IP Spoofing via Unvalidated Forwarding Headers High
GHSA-38x9-25wx-7fg2 was published for https://github.com/dadrus/heimdall (Go) Jun 18, 2026
LiteLLM: Authentication Bypass via Host Header Injection Critical
CVE-2026-49468 was published for litellm (pip) Jun 16, 2026
LilThawg29 Credited to LilThawg29
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes Moderate
CVE-2026-54308 was published for n8n (npm) Jun 16, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret Moderate
CVE-2026-44476 was published for doorkeeper-openid_connect (RubyGems) Jun 4, 2026
55728 Credited to 55728
ProTip! Advisories are also available from the GraphQL API