Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

18 advisories

Loading
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check Moderate
CVE-2026-53624 was published for github.com/gofiber/fiber (Go) Jul 6, 2026
sondt99 Credited to sondt99, dungNHVhust, gaby, and ReneWerner87 dungNHVhust dungNHVhust
gaby gaby ReneWerner87 ReneWerner87
sondt99 Credited to sondt99
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory Moderate
GHSA-jvcm-f35g-w78p was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284 Moderate
CVE-2026-12565 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint Moderate
GHSA-35w5-pcw4-jx94 was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` Moderate
CVE-2026-48125 was published for ua-parser-js (npm) Jun 15, 2026
sondt99 Credited to sondt99
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection Moderate
GHSA-268h-hp4c-crq3 was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization Moderate
GHSA-wqvq-jvpq-h66f was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for large offsets for layout mode text Moderate
CVE-2026-48155 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
sondt99 Credited to sondt99
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host Moderate
CVE-2026-47268 was published for github.com/naiba/nezha (Go) May 29, 2026
sondt99 Credited to sondt99
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
ProTip! Advisories are also available from the GraphQL API