GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
279 advisories
Filter by severity
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
High
GHSA-h4g2-xfmw-q2c9
was published
for
clauster
(pip)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
Moderate
CVE-2026-54068
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
High
CVE-2026-49471
was published
for
serena-agent
(pip)
Jul 8, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Moderate
GHSA-q855-8rh5-jfgq
was published
for
ha-mcp
(pip)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`
High
CVE-2026-55786
was published
for
flyto-core
(pip)
Jul 6, 2026
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Low
CVE-2026-49254
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 2, 2026
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Critical
CVE-2026-50027
was published
for
mcp-memory-service
(pip)
Jul 2, 2026
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
High
CVE-2026-49357
was published
for
line-desktop-mcp
(npm)
Jun 26, 2026
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API
High
CVE-2026-44025
was published
for
fluentd
(RubyGems)
Jun 26, 2026
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Critical
GHSA-qxvg-h7q2-hcxh
was published
for
motioneye
(pip)
Jun 23, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade
Moderate
CVE-2026-54776
was published
for
CoreWCF.UnixDomainSocket
(NuGet)
Jun 19, 2026
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
High
CVE-2026-54317
was published
for
homeassistant
(pip)
Jun 19, 2026
Tilt: Missing authentication on the network-exposed Tilt HUD server
Critical
CVE-2026-55884
was published
for
github.com/tilt-dev/tilt
(Go)
Jun 19, 2026
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Critical
CVE-2026-48814
was published
for
network-ai
(npm)
Jun 19, 2026
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)
High
GHSA-fq4x-789w-jg5h
was published
for
@agenticmail/claudecode
(npm)
Jun 18, 2026
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default
High
GHSA-jxcw-qp4h-6jfq
was published
for
praisonai
(pip)
Jun 18, 2026
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
Critical
GHSA-j4f3-55x4-r6q2
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
Critical
GHSA-9752-mhqh-h34f
was published
for
praisonai
(npm)
Jun 18, 2026
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Critical
GHSA-p75f-6fp4-p57w
was published
for
praisonai
(pip)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API