GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
143 advisories
Filter by severity
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
uucore: safe_traversal TOCTOU protection only enabled on Linux
Low
CVE-2026-35362
was published
for
uucore
(Rust)
Jul 6, 2026
mkdir: -m exposes directory with umask perms before chmod (race window)
Low
CVE-2026-35353
was published
for
uu_mkdir
(Rust)
Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite
Moderate
CVE-2026-35356
was published
for
uu_install
(Rust)
Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite
Moderate
CVE-2026-35355
was published
for
uu_install
(Rust)
Jul 6, 2026
OpenClaw: Combined POSIX shell options could confuse exec revalidation
High
CVE-2026-53806
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Node pairing reconnection could confuse approval scope state
High
GHSA-83w9-h5wv-j9xm
was published
for
openclaw
(npm)
Jul 2, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
High
CVE-2026-54353
was published
for
@budibase/backend-core
(npm)
Jun 22, 2026
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
Moderate
GHSA-wvrh-2f4m-924v
was published
for
ChatterBot
(pip)
Jun 19, 2026
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
Critical
GHSA-wfqx-gjrf-g28r
was published
for
github.com/crossplane/crossplane
(Go)
Jun 19, 2026
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
Moderate
CVE-2026-54777
was published
for
CoreWCF.NetNamedPipe
(NuGet)
Jun 19, 2026
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Low
CVE-2026-6733
was published
for
undici
(npm)
Jun 19, 2026
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding
High
GHSA-rjvw-7vvw-549v
was published
for
praisonai
(pip)
Jun 18, 2026
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Low
CVE-2026-54327
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
High
CVE-2026-54096
was published
for
github.com/filebrowser/filebrowser
(Go)
Jun 12, 2026
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators
High
GHSA-9wcp-79g5-5c3c
was published
for
com.appsmith:server
(Maven)
Jun 12, 2026
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token
High
CVE-2026-45720
was published
for
github.com/siderolabs/omni
(Go)
Jun 5, 2026
Keycloak has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-9796
was published
for
org.keycloak:keycloak-server
(Maven)
May 28, 2026
Pterodactyl has a database resource limit bypass via race condition in Client API
Low
CVE-2026-35202
was published
for
pterodactyl/panel
(Composer)
May 26, 2026
Diffusers: TOCTOU Trust Remote Code Bypass
High
CVE-2026-45804
was published
for
diffusers
(pip)
May 20, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path
High
CVE-2026-42306
was published
for
github.com/docker/docker
(Go)
May 18, 2026
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Moderate
CVE-2026-41568
was published
for
github.com/docker/docker
(Go)
May 18, 2026
ProTip!
Advisories are also available from the
GraphQL API