Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

14,499 advisories

Loading
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input Moderate
CVE-2026-54163 was published for secure_headers (RubyGems) Jul 10, 2026
tonghuaroot Credited to tonghuaroot
Lechu69 Credited to Lechu69
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
0xmrma Credited to 0xmrma
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD and kingjia90 kingjia90 kingjia90
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826) Moderate
GHSA-489g-7rxv-6c8q was published for mcp-atlassian (pip) Jul 10, 2026
daniel-mertz Credited to daniel-mertz
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies Moderate
CVE-2026-49977 was published for tarteaucitronjs (npm) Jul 10, 2026
Rudloff Credited to Rudloff
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs Moderate
CVE-2026-49865 was published for kimai/kimai (Composer) Jul 10, 2026
Mitchell45 Credited to Mitchell45
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
tillmon Credited to tillmon and soyuka soyuka soyuka
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion Moderate
CVE-2026-48043 was published for io.netty:netty-codec-http2 (Maven) Jun 11, 2026
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow Moderate
CVE-2026-39835 was published for golang.org/x/crypto (Go) Jun 25, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions Moderate
CVE-2026-39828 was published for golang.org/x/crypto (Go) Jun 25, 2026
GoBGP confederation validation panics on empty AS_PATH attribute Moderate
CVE-2026-49838 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
acorn421 Credited to acorn421 and hibrian827 hibrian827 hibrian827
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries Moderate
CVE-2026-49837 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
leo123-all Credited to leo123-all
psd-tools vulnerable to arbitrary file write via smart-object filename Moderate
CVE-2026-49836 was published for psd-tools (pip) Jul 9, 2026
seankohjs Credited to seankohjs and yueyueL yueyueL yueyueL
sigstore-go has a multi-log threshold bypass via single compromised log Moderate
CVE-2026-49834 was published for github.com/sigstore/sigstore-go (Go) Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect Moderate
CVE-2026-55252 was published for github.com/openrundev/openrun (Go) Jul 9, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
mint: Content-Length header accepts non-RFC "+" sign prefix Moderate
CVE-2026-49753 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, ericmj, and maennchen ericmj ericmj
maennchen maennchen
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path() Moderate
CVE-2026-5422 was published for jupyter-server (pip) Jun 2, 2026
ProTip! Advisories are also available from the GraphQL API