Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

597 advisories

Loading
sigstore-go has a multi-log threshold bypass via single compromised log Moderate
CVE-2026-49834 was published for github.com/sigstore/sigstore-go (Go) Jul 9, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
defuse Credited to defuse, nuttycom, daira, conradoplg, mpguerra, and alchemydc nuttycom nuttycom
daira daira conradoplg conradoplg mpguerra mpguerra alchemydc alchemydc
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access Moderate
CVE-2026-55430 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block Moderate
CVE-2026-52737 was published for zebra-consensus (Rust) Jul 2, 2026
ipwning Credited to ipwning, mpguerra, conradoplg, and oxarbitrage mpguerra mpguerra
conradoplg conradoplg oxarbitrage oxarbitrage
OpenClaw: Trusted retry endpoint checks could match hostname prefixes High
GHSA-77q5-rr5v-x43q was published for openclaw (npm) Jul 2, 2026
ccy41928-del Credited to ccy41928-del
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components High
CVE-2026-44937 was published for github.com/rancher/fleet (Go) Jul 1, 2026
sigstore-js has Insufficient Verification of Data Authenticity Moderate
CVE-2026-48816 was published for @sigstore/verify (npm) Jul 1, 2026
1seal Credited to 1seal, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
pnpm: Unsafe default behavior breaks integrity check Moderate
CVE-2026-50573 was published for pnpm (npm) Jun 26, 2026
aszx87410 Credited to aszx87410
chi Has an IP Spoofing Vulnerability in `middleware.RealIP` Moderate
GHSA-3fxj-6jh8-hvhx was published for github.com/go-chi/chi/v5/middleware (Go) Jun 25, 2026
Saku0512 Credited to Saku0512
Gogs: LFS dedupe path leaks private repo content across tenants High
CVE-2026-52812 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data Moderate
CVE-2026-33731 was published for wwbn/avideo (Composer) Jun 22, 2026
offset Credited to offset
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag Critical
GHSA-wfqx-gjrf-g28r was published for github.com/crossplane/crossplane (Go) Jun 19, 2026
bugbunny-research Credited to bugbunny-research and tonghuaroot tonghuaroot tonghuaroot
ProTip! Advisories are also available from the GraphQL API