Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,047 advisories

Loading
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books Moderate
CVE-2026-50554 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
Yunkaiwjs Credited to Yunkaiwjs and enchant97 enchant97 enchant97
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries Moderate
CVE-2026-49463 was published for nl.nl-portal:besluiten (Maven) Jul 8, 2026
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators Moderate
GHSA-p2fr-6hmx-4528 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
dvanmali Credited to dvanmali
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator High
CVE-2026-55428 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: User-admin role can reset owner account password High
CVE-2026-55077 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function... Moderate Unreviewed
CVE-2026-14793 was published Jul 6, 2026
A vulnerability was detected in mjperpinosa stumasy up to... Moderate Unreviewed
CVE-2026-14753 was published Jul 5, 2026
Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission Moderate
CVE-2026-50201 was published for Steeltoe.Management.Endpoint (NuGet) Jul 2, 2026
Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API Moderate
GHSA-q4rm-m6xh-5pv7 was published for froxlor/froxlor (Composer) Jul 2, 2026
offset Credited to offset
Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap High
CVE-2026-50279 was published for craftcms/cms (Composer) Jul 2, 2026
larlarua Credited to larlarua
SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted Moderate
CVE-2026-49997 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: `RELATE` overwrites existing edge records without `UPDATE` permission Moderate
GHSA-f82j-v89j-mf86 was published for surrealdb (Rust) Jul 1, 2026
ProTip! Advisories are also available from the GraphQL API