Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

82 advisories

Loading
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
Picklescan vulnerable to Arbitrary File Writing High
CVE-2025-71321 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Grafana: SQL Expressions Read File From Disk Moderate
CVE-2026-33380 was published for github.com/grafana/grafana (Go) May 13, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` High
CVE-2026-45088 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
Exposure of .env if project root is configured as web root in shopware/production Moderate
GHSA-3pcr-4982-548m was published for shopware/production (Composer) Apr 13, 2021
Algernon: handler.lua discovery walks parent directories above the server root Critical
CVE-2026-45721 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/ Moderate
GHSA-g39v-cvjh-8fpf was published for ha-mcp (pip) May 14, 2026
bharat Credited to bharat
@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening Moderate
GHSA-cqmh-pcgr-q42f was published for @axonflow/openclaw (npm) May 6, 2026
tdjackey Credited to tdjackey
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes Moderate
CVE-2026-32750 was published for github.com/siyuan-note/siyuan (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction Moderate
CVE-2026-29066 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
Liferay Portal Unauthenticated File Access via URL Moderate
CVE-2025-43749 was published for com.liferay.portal:release.portal.bom (Maven) Aug 20, 2025
Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality Moderate
CVE-2025-66625 was published for Umbraco.Cms (NuGet) Dec 9, 2025
Constellation has insecure LUKS2 persistent storage partitions which may be opened and used High
CVE-2025-58356 was published for github.com/edgelesssys/constellation/v2 (Go) Oct 27, 2025
tjade273 Credited to tjade273, daniel-weisse, msanft, and katexochen daniel-weisse daniel-weisse
msanft msanft katexochen katexochen
Contrast has insecure LUKS2 persistent storage partitions may be opened and used Moderate
GHSA-f5p4-p5q5-jv3h was published for github.com/edgelesssys/contrast (Go) Oct 28, 2025
katexochen Credited to katexochen and tjade273 tjade273 tjade273
Apache Kylin Files or Directories Accessible to External Parties High
CVE-2025-61734 was published for org.apache.kylin:kylin (Maven) Oct 2, 2025
OpenStack Nova vulnerable to unauthorized access to potentially sensitive data Moderate
CVE-2024-40767 was published for Nova (pip) Jul 24, 2024
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access High
CVE-2024-32498 was published for cinder (pip) Jul 5, 2024
Guava vulnerable to insecure use of temporary directory Moderate
CVE-2023-2976 was published for com.google.guava:guava (Maven) Jun 14, 2023
TCPDF Local File Inclusion vulnerability Moderate
CVE-2024-51058 was published for tecnickcom/tcpdf (Composer) Nov 26, 2024
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories Moderate
CVE-2025-11965 was published for io.vertx:vertx-web (Maven) Oct 22, 2025
Path Traversal in Apache Flink High
CVE-2020-17519 was published for org.apache.flink:flink-runtime_2.11 (Maven) Jan 6, 2021
stephanmiehe Credited to stephanmiehe
copyparty: Sharing a single file does not fully restrict access to other files in source folder Moderate
CVE-2025-58753 was published for copyparty (pip) Sep 9, 2025
ProTip! Advisories are also available from the GraphQL API