Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,449 advisories

Loading
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content Critical
CVE-2026-50551 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
Yunkaiwjs Credited to Yunkaiwjs
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE Critical
CVE-2026-54159 was published for prestashop/ps_facetedsearch (Composer) Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() Critical
CVE-2026-54158 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
`exploration` was removed from crates.io for malicious code Critical
GHSA-99j7-fhr2-xfj4 was published for exploration (Rust) Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist Critical
CVE-2026-54069 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
oduoke567 Credited to oduoke567
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Critical
CVE-2026-54072 was published for github.com/authorizerdev/authorizer (Go) Jul 10, 2026
morimori-dev Credited to morimori-dev
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() Critical
CVE-2026-54067 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE Critical
CVE-2026-53649 was published for github.com/BishopFox/joro (Go) Jul 8, 2026
stover-BF Credited to stover-BF
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE Critical
CVE-2026-52831 was published for github.com/nuclio/nuclio (Go) Jul 8, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers Critical
CVE-2026-53552 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
EGroupware has a Remote Code Execution Vulnerability Critical
CVE-2026-27823 was published for egroupware/egroupware (Composer) Jul 7, 2026
realalphaman Credited to realalphaman
defuse Credited to defuse, nuttycom, daira, conradoplg, mpguerra, and alchemydc nuttycom nuttycom
daira daira conradoplg conradoplg mpguerra mpguerra alchemydc alchemydc
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
YLChen-007 Credited to YLChen-007
ProTip! Advisories are also available from the GraphQL API