GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,277
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,489
Swift
61
Unreviewed advisories
All unreviewed
5,000+
828 advisories
Filter by severity
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books
Moderate
CVE-2026-50554
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries
Moderate
CVE-2026-49463
was published
for
nl.nl-portal:besluiten
(Maven)
Jul 8, 2026
Craft CMS: Sensitive File Disclosure / Server-Side File Read
Moderate
CVE-2026-55792
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission
Moderate
GHSA-x76w-8c62-48mg
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Moderate
GHSA-gj2h-2fpw-fhv9
was published
for
@nuxt/ui
(npm)
Jul 2, 2026
Froxlor: Authenticated customers can read other customers' allowed sender aliases
Moderate
GHSA-mr9h-45p9-fg8h
was published
for
froxlor/froxlor
(Composer)
Jul 2, 2026
Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect
Moderate
CVE-2026-50192
was published
for
github.com/kerberos-io/agent/machinery
(Go)
Jul 2, 2026
OpenClaw MCP SSE redirects could forward Authorization headers
Moderate
GHSA-9c3v-684m-579c
was published
for
openclaw
(npm)
Jul 1, 2026
ORAS Go forwards registry credentials across registry redirects
Moderate
GHSA-vh4v-2xq2-g5cg
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions
Moderate
GHSA-vjjx-rfw4-rmfc
was published
for
surrealdb
(Rust)
Jul 1, 2026
repomix: attach_packed_output can bypass file-read secret scanning for supported local files
Moderate
CVE-2026-49988
was published
for
repomix
(npm)
Jul 1, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Moderate
GHSA-ww5p-j6cj-6mqq
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Moderate
CVE-2026-55180
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Moderate
CVE-2026-50017
was published
for
pnpm
(npm)
Jun 26, 2026
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Moderate
CVE-2026-49336
was published
for
@microsoft/kiota-http-fetchlibrary
(npm)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs
Moderate
GHSA-q683-8468-r6h6
was published
for
web-auth/webauthn-symfony-bundle
(Composer)
Jun 26, 2026
ImageMagick: Policy Bypass can read disallowed files via symlink
Moderate
CVE-2026-49219
was published
for
Magick.NET-Q16-AnyCPU
(NuGet)
Jun 25, 2026
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
Moderate
CVE-2026-46406
was published
for
@anthropic-ai/claude-code
(npm)
Jun 25, 2026
Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API
Moderate
CVE-2026-52815
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
Moderate
GHSA-h4h3-3rfj-x6fq
was published
for
surrealdb
(Rust)
Jun 19, 2026
http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default
Moderate
GHSA-pr33-38xx-6r26
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName
Moderate
CVE-2026-11769
was published
for
github.com/grafana/grafana-operator
(Go)
Jun 19, 2026
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Moderate
CVE-2026-53725
was published
for
parse-server
(npm)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API