GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
597 advisories
Filter by severity
sigstore-go has a multi-log threshold bypass via single compromised log
Moderate
CVE-2026-49834
was published
for
github.com/sigstore/sigstore-go
(Go)
Jul 9, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
High
CVE-2026-53516
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
High
CVE-2026-53514
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness
Critical
CVE-2026-54496
was published
for
halo2_gadgets
(Rust)
Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Moderate
CVE-2026-55430
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`
High
CVE-2026-49284
was published
for
simplesamlphp/simplesamlphp
(Composer)
Jul 2, 2026
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block
Moderate
CVE-2026-52737
was published
for
zebra-consensus
(Rust)
Jul 2, 2026
OpenClaw: Trusted retry endpoint checks could match hostname prefixes
High
GHSA-77q5-rr5v-x43q
was published
for
openclaw
(npm)
Jul 2, 2026
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
High
CVE-2026-44937
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
sigstore-js has Insufficient Verification of Data Authenticity
Moderate
CVE-2026-48816
was published
for
@sigstore/verify
(npm)
Jul 1, 2026
A security flaw has been discovered in MyScale MyScaleDB up to 1.8.0. This vulnerability affects...
Low
Unreviewed
CVE-2026-13513
was published
Jun 29, 2026
A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function...
Low
Unreviewed
CVE-2026-13507
was published
Jun 29, 2026
A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function...
Low
Unreviewed
CVE-2026-13483
was published
Jun 28, 2026
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login...
Moderate
Unreviewed
CVE-2026-9242
was published
Jun 27, 2026
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes
High
CVE-2026-55698
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Unsafe default behavior breaks integrity check
Moderate
CVE-2026-50573
was published
for
pnpm
(npm)
Jun 26, 2026
chi Has an IP Spoofing Vulnerability in `middleware.RealIP`
Moderate
GHSA-3fxj-6jh8-hvhx
was published
for
github.com/go-chi/chi/v5/middleware
(Go)
Jun 25, 2026
Gogs: LFS dedupe path leaks private repo content across tenants
High
CVE-2026-52812
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
Moderate
CVE-2026-33731
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that...
Critical
Unreviewed
CVE-2026-56073
was published
Jun 20, 2026
http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`
High
GHSA-m4w9-hjfw-vwj4
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
Critical
GHSA-wfqx-gjrf-g28r
was published
for
github.com/crossplane/crossplane
(Go)
Jun 19, 2026
CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages
High
CVE-2026-54783
was published
for
CoreWCF.Primitives
(NuGet)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API