GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,813 advisories
Filter by severity
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
High
CVE-2026-54446
was published
for
netlicensing-mcp
(pip)
Jul 14, 2026
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
High
CVE-2026-61549
was published
for
github.com/woodpecker-ci/woodpecker
(Go)
Jul 14, 2026
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
High
GHSA-7rx3-5wx3-5v76
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Certificate revocation is never enforced at the mesh
High
CVE-2026-61699
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54629
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
nebula-mesh: Operator session tokens stored in plaintext in the database
High
CVE-2026-53603
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder
High
CVE-2026-44891
was published
for
io.netty:netty-codec-stomp
(Maven)
Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
High
CVE-2026-53604
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54628
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware
High
GHSA-mqxv-9rm6-w8qc
was published
for
github.com/lin-snow/ech0
(Go)
Jul 14, 2026
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
High
CVE-2026-54448
was published
for
github.com/aquasecurity/trivy
(Go)
Jul 14, 2026
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
High
CVE-2026-54087
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
High
GHSA-pqg7-v6wh-3pfp
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool
High
CVE-2026-50158
was published
for
github.com/eat-pray-ai/yutu
(Go)
Jul 14, 2026
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
High
CVE-2026-50141
was published
for
go.woodpecker-ci.org/woodpecker/v3
(Go)
Jul 14, 2026
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
High
CVE-2026-50131
was published
for
@fedify/fedify
(npm)
Jul 14, 2026
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
High
CVE-2026-50125
was published
for
github.com/StacklokLabs/mkp
(Go)
Jul 14, 2026
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
High
CVE-2026-50013
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export
High
CVE-2026-45263
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents
High
CVE-2026-45693
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
High
CVE-2026-44300
was published
for
github.com/opencost/opencost
(Go)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS
High
GHSA-xf7x-x43h-rpqh
was published
for
json-repair
(pip)
Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service
High
GHSA-7xw9-549r-8jrc
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC: Pilot code downloaded over unverified HTTPS connection
High
CVE-2026-61668
was published
for
DIRAC
(pip)
Jul 13, 2026
ProTip!
Advisories are also available from the
GraphQL API