Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

47 advisories

Loading
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation High
CVE-2026-49473 was published for @cedar-policy/authorization-for-expressjs (npm) Jun 30, 2026
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing High
CVE-2026-48788 was published for github.com/umputun/remark42 (Go) Jun 26, 2026
ildkh Credited to ildkh
OctoPrint has possible file exfiltration via query parameters on upload endpoints High
CVE-2026-54134 was published for OctoPrint (pip) Jun 23, 2026
seankohjs Credited to seankohjs and jacopotediosi jacopotediosi jacopotediosi
threalwinky Credited to threalwinky
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring High
CVE-2026-42462 was published for @fedify/fedify (npm) May 26, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters High
CVE-2026-6322 was published for fast-uri (npm) May 8, 2026
Jvr2022 Credited to Jvr2022, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass High
CVE-2026-42551 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Heimdall has an authorization bypass via path normalization mismatch High
CVE-2026-42274 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass High
CVE-2026-42273 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
CVE-2026-42272 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option High
CVE-2026-33804 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, climba03003, and UlisesGascon mcollina mcollina
climba03003 climba03003 UlisesGascon UlisesGascon
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk High
GHSA-q382-vc8q-7jhj was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
anaximand3r Credited to anaximand3r
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
CVE-2026-32971 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity High
CVE-2026-27896 was published for github.com/modelcontextprotocol/go-sdk (Go) Feb 26, 2026
anaximand3r Credited to anaximand3r
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
Fastify's Content-Type header tab character allows body validation bypass High
CVE-2026-25223 was published for fastify (npm) Feb 2, 2026
jsumners Credited to jsumners
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization High
CVE-2025-12816 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen and sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict High
GHSA-jj37-3377-m6vv was published for nodemailer (npm) Nov 14, 2025 withdrawn
RatPanel can perform remote command execution without authorization High
CVE-2025-53534 was published for github.com/tnborg/panel (Go) Aug 4, 2025
LTLTLXEY Credited to LTLTLXEY and devhaozi devhaozi devhaozi
Git LFS permits exfiltration of credentials via crafted HTTP URLs High
CVE-2024-53263 was published for github.com/git-lfs/git-lfs (Go) Jan 14, 2025
Ry0taK Credited to Ry0taK
Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials High
CVE-2024-50338 was published for git-credential-manager (NuGet) Jan 14, 2025
Name confusion in x509 Subject Alternative Name fields High
CVE-2023-52892 was published for phpseclib/phpseclib (Composer) Jun 28, 2024
ProTip! Advisories are also available from the GraphQL API