Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,776 advisories

Loading
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
Jaspersoft Reports: Java Deserialization Vulnerability Lleads to Remote Code Execution (RCE) High
CVE-2026-6009 was published for net.sf.jasperreports:jasperreports (Maven) May 19, 2026
pmurck Credited to pmurck and yaso-bash yaso-bash yaso-bash
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset High
GHSA-h4g2-xfmw-q2c9 was published for clauster (pip) Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment High
GHSA-g5r6-gv6m-f5jv was published for mcp-atlassian (pip) Jul 10, 2026
rainfantry Credited to rainfantry
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
SafeInstall agent guard shell parsing can miss raw package execution High
GHSA-xrmc-c5cg-rv7x was published for safeinstall-cli (npm) Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) High
GHSA-qv4m-m73m-8hj7 was published for notrinos/notrinos-erp (Composer) Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py High
CVE-2026-54071 was published for BabelDOC (pip) Jul 10, 2026
EQSTLab Credited to EQSTLab and awwaawwa awwaawwa awwaawwa
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS) High
CVE-2026-54063 was published for github.com/xuri/excelize/v2 (Go) Jul 10, 2026
EQSTLab Credited to EQSTLab
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 High
CVE-2026-54066 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
aslein1413-sys Credited to aslein1413-sys
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling High
CVE-2026-45260 was published for pimcore/pimcore (Composer) May 27, 2026
larlarua Credited to larlarua and kingjia90 kingjia90 kingjia90
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save High
CVE-2026-5394 was published for pimcore/pimcore (Composer) May 28, 2026
researchatfluidattacks Credited to researchatfluidattacks and kingjia90 kingjia90 kingjia90
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD and kingjia90 kingjia90 kingjia90
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction High
CVE-2026-45162 was published for pimcore/pimcore (Composer) May 27, 2026
tikket1 Credited to tikket1 and kingjia90 kingjia90 kingjia90
Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter High
CVE-2026-44741 was published for pimcore/admin-ui-classic-bundle (Composer) May 27, 2026
tikket1 Credited to tikket1 and kingjia90 kingjia90 kingjia90
Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration High
CVE-2026-44739 was published for pimcore/pimcore (Composer) May 27, 2026
msayedZiko Credited to msayedZiko and kingjia90 kingjia90 kingjia90
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays High
CVE-2026-49866 was published for @libp2p/gossipsub (npm) Jul 10, 2026
tahaafarooq Credited to tahaafarooq
Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization High
CVE-2016-0750 was published for org.infinispan:infinispan-core (Maven) May 13, 2022
ws: Memory exhaustion DoS from tiny fragments and data chunks High
CVE-2026-48779 was published for ws (npm) Jun 15, 2026
Nadav0077 Credited to Nadav0077
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records High
CVE-2026-45674 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS High
CVE-2026-39829 was published for golang.org/x/crypto (Go) Jun 25, 2026
Netty has Insufficient Bailiwick Validation for NS Records High
CVE-2026-47691 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator High
CVE-2026-48006 was published for io.netty:netty-codec-redis (Maven) Jun 11, 2026
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion High
CVE-2026-48059 was published for io.netty:netty-codec-haproxy (Maven) Jun 11, 2026
ProTip! Advisories are also available from the GraphQL API