Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

675 advisories

Loading
hash3liZer Credited to hash3liZer
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass High
CVE-2026-49998 was published for github.com/centrifugal/centrifugo (Go) Jul 1, 2026
sondt99 Credited to sondt99
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced High
CVE-2026-48815 was published for sigstore (npm) Jul 1, 2026
Jvr2022 Credited to Jvr2022, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
Sigstore Java has a vulnerability with bundle verification of integratedTime Low
CVE-2026-48791 was published for dev.sigstore:sigstore-java (Maven) Jun 30, 2026
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
@sigstore/core has DSSE payloadType type-binding failure Moderate
CVE-2026-48758 was published for @sigstore/core (npm) Jun 26, 2026
Str1ckl4nd Credited to Str1ckl4nd and Zyy0530 Zyy0530 Zyy0530
golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS High
CVE-2026-39829 was published for golang.org/x/crypto (Go) Jun 25, 2026
Lemur: JWT verifier honors attacker-supplied alg, enabling ATO Moderate
CVE-2026-55165 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing High
CVE-2026-46560 was published for org.openidentityplatform.openam:openam-radius (Maven) Jun 25, 2026
wodzen Credited to wodzen
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE) Critical
GHSA-qxvg-h7q2-hcxh was published for motioneye (pip) Jun 23, 2026
C4spr0x1A Credited to C4spr0x1A and MichaIng MichaIng MichaIng
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing High
GHSA-h5x8-xp6m-x6q4 was published for @jhb.software/payload-cloudinary-plugin (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
ProTip! Advisories are also available from the GraphQL API