Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

677 advisories

Loading
laravel-backup-restore has an OS Command Injection during database restore High
CVE-2026-53932 was published for wnx/laravel-backup-restore (Composer) Jul 9, 2026
YHalo-wyh Credited to YHalo-wyh
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE Critical
CVE-2026-52831 was published for github.com/nuclio/nuclio (Go) Jul 8, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
EGroupware has Authenticated RCE via Malicious eTemplate Upload High
CVE-2026-40187 was published for egroupware/egroupware (Composer) Jul 7, 2026
dapickle Credited to dapickle
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command High
CVE-2026-55426 was published for linuxfabrik-lib (pip) Jul 6, 2026
OoYo0uto Credited to OoYo0uto
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` High
CVE-2026-55427 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module` High
CVE-2026-55786 was published for flyto-core (pip) Jul 6, 2026
EQSTLab Credited to EQSTLab
9router: Missing Authorization and OS Command Injection Critical
CVE-2026-59800 was published for 9router (npm) Jul 2, 2026
vcth4nh Credited to vcth4nh and Ductinn Ductinn Ductinn
electerm has Command Injection in File System Operations (rmrf, mv, cp) High
CVE-2026-49255 was published for electerm (npm) Jul 2, 2026
hibrian827 Credited to hibrian827
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent High
CVE-2026-44454 was published for github.com/coder/coder (Go) Jul 2, 2026
avivdon Credited to avivdon
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion High
GHSA-mhq8-78pj-5j79 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw's marketplace runtime extension metadata could point at unscanned payloads High
CVE-2026-53810 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn Moderate
GHSA-qh2f-99mv-mrcf was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
pnpm: Repository-controlled configDependencies can select a pacquet native install engine High
CVE-2026-55697 was published for pnpm (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths Moderate
GHSA-5vwr-qchf-q4pf was published for @cyclonedx/cdxgen (npm) Jun 26, 2026
aleff-github Credited to aleff-github
ImageMagick: Policy Bypass can read disallowed files via symlink Moderate
CVE-2026-49219 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 25, 2026
GameZoneHacker Credited to GameZoneHacker
Mise's local credential_command executes untrusted config Moderate
CVE-2026-55448 was published for mise (Rust) Jun 23, 2026
kq5y Credited to kq5y
miauzxw Credited to miauzxw
sectroyer Credited to sectroyer
githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow High
GHSA-c3xh-98xp-6qhf was published for gouef/githubtoplanguages (GitHub Actions) Jun 19, 2026
choseogyeong Credited to choseogyeong
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument High
CVE-2026-55849 was published for @cyclonedx/cyclonedx-npm (npm) Jun 19, 2026
fortress07 Credited to fortress07 and jkowalleck jkowalleck jkowalleck
agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution High
GHSA-wg5p-8h9p-3mr7 was published for agent-coderag (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
ProTip! Advisories are also available from the GraphQL API