Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,791 advisories

Loading
SafeInstall agent guard shell parsing can miss raw package execution High
GHSA-xrmc-c5cg-rv7x was published for safeinstall-cli (npm) Jul 10, 2026
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies Moderate
CVE-2026-49977 was published for tarteaucitronjs (npm) Jul 10, 2026
Rudloff Credited to Rudloff
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays High
CVE-2026-49866 was published for @libp2p/gossipsub (npm) Jul 10, 2026
tahaafarooq Credited to tahaafarooq
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data Moderate
GHSA-382c-vx95-w3p5 was published for @jsonbored/gittensory-mcp (npm) Jul 9, 2026
homanp Credited to homanp
Waku has an Open Redirect via `unstable_redirect` Helper Low
CVE-2026-49456 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Waku: Cross-Origin CSRF on RSC Server Action Dispatch Moderate
CVE-2026-49455 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers High
GHSA-j8v8-g9cx-5qf4 was published for @better-auth/scim (npm) Jul 7, 2026
Jvr2022 Credited to Jvr2022
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
chdanielmueller Credited to chdanielmueller
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
subhanUmer Credited to subhanUmer
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp High
GHSA-86j7-9j95-vpqj was published for better-auth (npm) Jul 7, 2026
hillalee Credited to hillalee
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators Moderate
GHSA-p2fr-6hmx-4528 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
dvanmali Credited to dvanmali
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060) Moderate
CVE-2026-53509 was published for @aborruso/ckan-mcp-server (npm) Jul 7, 2026
hibrian827 Credited to hibrian827
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Critical
CVE-2026-49352 was published for 9router (npm) Jul 2, 2026
kaito7926 Credited to kaito7926
ProTip! Advisories are also available from the GraphQL API