Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

16 advisories

Loading
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration High
CVE-2026-33692 was published for wwbn/avideo (Composer) Jun 22, 2026
morimori-dev Credited to morimori-dev
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
morimori-dev Credited to morimori-dev
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation High
CVE-2026-45548 was published for @budibase/server (npm) May 15, 2026
morimori-dev Credited to morimori-dev
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values Moderate
CVE-2026-39960 was published for mantisbt/mantisbt (Composer) May 11, 2026
morimori-dev Credited to morimori-dev, dregad, and TristanInSec dregad dregad
TristanInSec TristanInSec
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order Moderate
CVE-2026-44568 was published for open-webui (pip) May 8, 2026
morimori-dev Credited to morimori-dev and Classic298 Classic298 Classic298
Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) Critical
CVE-2026-40281 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection High
CVE-2026-40280 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values Moderate
CVE-2026-35588 was published for glances (pip) Apr 21, 2026
morimori-dev Credited to morimori-dev
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
CVE-2026-41143 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler Low
GHSA-3jp4-mhh4-gcgr was published for kimai/kimai (Composer) Apr 14, 2026
morimori-dev Credited to morimori-dev
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives Moderate
CVE-2026-40301 was published for rhukster/dom-sanitizer (Composer) Apr 10, 2026
morimori-dev Credited to morimori-dev
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation High
GHSA-jfwg-rxf3-p7r9 was published for github.com/authorizerdev/authorizer (Go) Apr 6, 2026
morimori-dev Credited to morimori-dev
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter High
CVE-2026-35187 was published for pyload-ng (pip) Apr 4, 2026
morimori-dev Credited to morimori-dev
Nautobot: Management of users via REST API does not apply configured password validators Low
CVE-2026-34203 was published for nautobot (pip) Mar 31, 2026
morimori-dev Credited to morimori-dev
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
ProTip! Advisories are also available from the GraphQL API