GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,791 advisories
Filter by severity
SafeInstall agent guard shell parsing can miss raw package execution
High
GHSA-xrmc-c5cg-rv7x
was published
for
safeinstall-cli
(npm)
Jul 10, 2026
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Moderate
CVE-2026-49977
was published
for
tarteaucitronjs
(npm)
Jul 10, 2026
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
High
CVE-2026-49866
was published
for
@libp2p/gossipsub
(npm)
Jul 10, 2026
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Moderate
GHSA-382c-vx95-w3p5
was published
for
@jsonbored/gittensory-mcp
(npm)
Jul 9, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Moderate
CVE-2026-49455
was published
for
waku
(npm)
Jul 8, 2026
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
High
GHSA-j8v8-g9cx-5qf4
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Low
GHSA-2vg6-77g8-24mp
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
High
GHSA-9h47-pqcx-hjr4
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
High
GHSA-86j7-9j95-vpqj
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
High
CVE-2026-53516
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
High
CVE-2026-53514
was published
for
better-auth
(npm)
Jul 7, 2026
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
Moderate
GHSA-p2fr-6hmx-4528
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
Moderate
CVE-2026-53509
was published
for
@aborruso/ckan-mcp-server
(npm)
Jul 7, 2026
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Critical
CVE-2026-49352
was published
for
9router
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API