Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,048 advisories

Loading
Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability... Moderate Unreviewed
CVE-2026-12673 was published Jun 20, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC High
CVE-2026-45048 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 23, 2026
wodzen Credited to wodzen
Snipe-IT has Improper Authorization in File Deletion (IDOR) Low
CVE-2026-55519 was published for snipe/snipe-it (Composer) Jun 23, 2026
windbreaker555 Credited to windbreaker555
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints Critical
CVE-2026-45052 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 24, 2026
wodzen Credited to wodzen
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) High
CVE-2026-49338 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
OpenAM OAuth Authorization Bypass via PKCE Challenge Moderate
CVE-2026-48717 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
SurrealDB: `RELATE` overwrites existing edge records without `UPDATE` permission Moderate
GHSA-f82j-v89j-mf86 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted Moderate
CVE-2026-49997 was published for surrealdb (Rust) Jul 1, 2026
ProTip! Advisories are also available from the GraphQL API