Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,813 advisories

Loading
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode High
CVE-2026-54446 was published for netlicensing-mcp (pip) Jul 14, 2026
EQSTLab Credited to EQSTLab
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend High
CVE-2026-61549 was published for github.com/woodpecker-ci/woodpecker (Go) Jul 14, 2026
AnuragBathani Credited to AnuragBathani
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private` High
GHSA-7rx3-5wx3-5v76 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
adamyordan Credited to adamyordan
nebula-mesh: Certificate revocation is never enforced at the mesh High
CVE-2026-61699 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Pig-Tail Credited to Pig-Tail
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
nebula-mesh: Operator session tokens stored in plaintext in the database High
CVE-2026-53603 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder High
CVE-2026-44891 was published for io.netty:netty-codec-stomp (Maven) Jul 14, 2026
violetagg Credited to violetagg
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths High
CVE-2026-53604 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54628 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware High
GHSA-mqxv-9rm6-w8qc was published for github.com/lin-snow/ech0 (Go) Jul 14, 2026
tonghuaroot Credited to tonghuaroot
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser High
CVE-2026-54448 was published for github.com/aquasecurity/trivy (Go) Jul 14, 2026
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField High
CVE-2026-54087 was published for easycorp/easyadmin-bundle (Composer) Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services High
GHSA-pqg7-v6wh-3pfp was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool High
CVE-2026-50158 was published for github.com/eat-pray-ai/yutu (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation High
CVE-2026-50141 was published for go.woodpecker-ci.org/woodpecker/v3 (Go) Jul 14, 2026
shivamkumarcyber Credited to shivamkumarcyber
chaitanyagarware Credited to chaitanyagarware
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion High
CVE-2026-50125 was published for github.com/StacklokLabs/mkp (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode High
CVE-2026-50013 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents High
CVE-2026-45693 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
5kr1pt Credited to 5kr1pt
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection High
CVE-2026-44300 was published for github.com/opencost/opencost (Go) Jul 14, 2026
b0b0haha Credited to b0b0haha
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS High
GHSA-xf7x-x43h-rpqh was published for json-repair (pip) Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service High
GHSA-7xw9-549r-8jrc was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
DIRAC: Pilot code downloaded over unverified HTTPS connection High
CVE-2026-61668 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
ProTip! Advisories are also available from the GraphQL API