Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

69 advisories

Loading
nimonian Credited to nimonian
canto-saas-api: OAuth credentials exposed in URL query string and exception messages Moderate
CVE-2026-55375 was published for jleehr/canto-saas-api (Composer) Jun 19, 2026
jleehr Credited to jleehr
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) Moderate
CVE-2026-47768 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
Portainer: JWT accepted in URL query leaks tokens to logs and referers High
CVE-2026-44883 was published for github.com/portainer/portainer (Go) May 14, 2026
scanpwn Credited to scanpwn
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover Moderate
CVE-2026-43875 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings High
CVE-2026-34020 was published for org.apache.openmeetings:openmeetings-parent (Maven) Apr 9, 2026
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback Low
CVE-2026-34969 was published for github.com/nhost/nhost (Go) Apr 1, 2026
0xkakash1 Credited to 0xkakash1
openssl-encrypt accepts refresh tokens as URL query parameters causing token leakage Moderate
GHSA-4rh7-jwg9-m28m was published for openssl-encrypt (pip) Apr 1, 2026
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems Moderate
CVE-2026-33620 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
Gogs: Access tokens get exposed through URL params in API requests Moderate
CVE-2026-26196 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
ProTip! Advisories are also available from the GraphQL API