Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,453 advisories

Loading
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login Low
CVE-2026-48589 was published for org.apache.shiro:shiro-jakarta-ee (Maven) May 26, 2026
yeikel Credited to yeikel
Code Index MCP is vulnerable to Uncontrolled Resource Consumption Low
CVE-2026-10692 was published for code-index-mcp (pip) Jun 3, 2026
DesktopCommanderMCP is vulnerable to SSRF Low
CVE-2026-10690 was published for @wonderwhy-er/desktop-commander (npm) Jun 3, 2026
DesktopCommanderMCP is vulnerable to Uncontrolled Resource Consumption Low
CVE-2026-10691 was published for @wonderwhy-er/desktop-commander (npm) Jun 3, 2026
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values Low
CVE-2026-48598 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param` Low
CVE-2026-48596 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target` Low
CVE-2026-48861 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, maennchen, and ericmj maennchen maennchen
ericmj ericmj
hermes-agent has an Injection issue Low
CVE-2026-10222 was published for hermes-agent (pip) Jun 1, 2026
Apache Airflow has an Incorrect Authorization issue Low
CVE-2026-45426 was published for apache-airflow (pip) Jun 1, 2026
Apache Airflow has an Improper Authorization issue Low
CVE-2026-40963 was published for apache-airflow (pip) Jun 1, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read Low
GHSA-c43v-4cr8-6mvp was published for craftcms/cms (Composer) Jul 9, 2026
GCXWLP Credited to GCXWLP
Waku has an Open Redirect via `unstable_redirect` Helper Low
CVE-2026-49456 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Logback vulnerable to Object Injection through HardenedObjectInputStream modules Low
CVE-2026-10532 was published for ch.qos.logback:logback-core (Maven) Jun 1, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API Low
CVE-2026-10215 was published for dolibarr/dolibarr (Composer) Jun 1, 2026
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
netfoil: Attacker controlled data written to logs Low
GHSA-7856-g3gv-9wq8 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a resource leak in LRU cache Low
GHSA-3g4q-2f67-2gvh was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
Aider has an SSRF vulnerability through its AWS EC2 Metadata Endpoint Low
CVE-2026-10177 was published for aider-chat (pip) May 31, 2026
ProTip! Advisories are also available from the GraphQL API