Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

78 advisories

Loading
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path Moderate
GHSA-q855-8rh5-jfgq was published for ha-mcp (pip) Jul 7, 2026
bharat Credited to bharat
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade Moderate
CVE-2026-54776 was published for CoreWCF.UnixDomainSocket (NuGet) Jun 19, 2026
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint Moderate
GHSA-35w5-pcw4-jx94 was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
epa4all-client: Unauthenticated REST API for Patient Record Writes Moderate
CVE-2026-47672 was published for com.oviva.telematik:epa4all-rest-service (Maven) Jun 4, 2026
snomi Credited to snomi and Volcore Volcore Volcore
sondt99 Credited to sondt99
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification Moderate
CVE-2026-47212 was published for symfony/symfony (Composer) May 29, 2026
nicolas-grekas Credited to nicolas-grekas
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection Moderate
CVE-2026-47122 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45755 was published for symfony/mailtrap-mailer (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois and unknownhad unknownhad unknownhad
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45754 was published for symfony/lox24-notifier (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois, nicolas-grekas, and unknownhad nicolas-grekas nicolas-grekas
unknownhad unknownhad
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication Moderate
GHSA-9v4j-7g44-qcqw was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass Moderate
CVE-2026-45577 was published for neotoma (npm) May 18, 2026
offset Credited to offset
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure Moderate
CVE-2026-45397 was published for open-webui (pip) May 14, 2026
0xRyuzak1 Credited to 0xRyuzak1
mem0 server lacks authentication and authorization controls for its memory deletion API endpoint Moderate
CVE-2026-31241 was published for mem0ai (pip) May 12, 2026
mem0 server lacks authentication and authorization controls for its memory creation API endpoint Moderate
CVE-2026-31245 was published for mem0ai (pip) May 12, 2026
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation Moderate
GHSA-rgj7-vg8v-j4wr was published for github.com/lin-snow/ech0 (Go) May 7, 2026
VashuVats Credited to VashuVats
offset Credited to offset
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection Moderate
CVE-2026-42303 was published for ethyca-fides (pip) May 5, 2026
RobertKeyser Credited to RobertKeyser and daveqnet daveqnet daveqnet
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials Moderate
GHSA-92jp-89mq-4374 was published for openclaw (npm) Apr 17, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request Moderate
CVE-2026-56270 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php Moderate
CVE-2026-35450 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API