Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

669 advisories

Loading
OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn Moderate
GHSA-qh2f-99mv-mrcf was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths Moderate
GHSA-5vwr-qchf-q4pf was published for @cyclonedx/cdxgen (npm) Jun 26, 2026
aleff-github Credited to aleff-github
ImageMagick: Policy Bypass can read disallowed files via symlink Moderate
CVE-2026-49219 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 25, 2026
GameZoneHacker Credited to GameZoneHacker
OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows... Moderate Unreviewed
CVE-2026-8663 was published Jun 25, 2026
Mise's local credential_command executes untrusted config Moderate
CVE-2026-55448 was published for mise (Rust) Jun 23, 2026
kq5y Credited to kq5y
OpenStack Horizon RC file generation does not escape special characters in project names Moderate
CVE-2026-55748 was published for horizon (pip) Jun 17, 2026
Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration Moderate
CVE-2026-47751 was published for anthropics/claude-code-action (GitHub Actions) Jun 10, 2026
b0b0haha Credited to b0b0haha, j311yl0v3u, and sanketsudake j311yl0v3u j311yl0v3u
sanketsudake sanketsudake
Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local... Moderate Unreviewed
CVE-2026-44076 was published May 21, 2026
Setup PHP: Command Injection in Repository-Derived PHP Version Resolution Moderate
CVE-2026-46420 was published for shivammathur/setup-php (GitHub Actions) May 20, 2026
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter Moderate
CVE-2026-45626 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input Moderate
CVE-2026-42853 was published for @apostrophecms/cli (npm) May 14, 2026
VadlaReddySai Credited to VadlaReddySai and Chittu13 Chittu13 Chittu13
ProTip! Advisories are also available from the GraphQL API