Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

128 advisories

Loading
netfoil has a domain name filter bypass via multiple questions Moderate
GHSA-59qp-cfj3-rp64 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation High
CVE-2026-49473 was published for @cedar-policy/authorization-for-expressjs (npm) Jun 30, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host Moderate
CVE-2026-47076 was published for hackney (Erlang) Jun 26, 2026
Ganbagana Credited to Ganbagana and maennchen maennchen maennchen
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing High
CVE-2026-48788 was published for github.com/umputun/remark42 (Go) Jun 26, 2026
ildkh Credited to ildkh
OctoPrint has possible file exfiltration via query parameters on upload endpoints High
CVE-2026-54134 was published for OctoPrint (pip) Jun 23, 2026
seankohjs Credited to seankohjs and jacopotediosi jacopotediosi jacopotediosi
kexinoh Credited to kexinoh, russellb, jperezdealgaba, and DarkLight1337 russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters Low
CVE-2026-53537 was published for python-multipart (pip) Jun 15, 2026
0xkakash1 Credited to 0xkakash1 and sammiee5311 sammiee5311 sammiee5311
nicolas-grekas Credited to nicolas-grekas and 0xEr3n 0xEr3n 0xEr3n
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
threalwinky Credited to threalwinky
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring High
CVE-2026-42462 was published for @fedify/fedify (npm) May 26, 2026
Next.js vulnerable to cache poisoning in React Server Component responses Moderate
CVE-2026-44576 was published for next (npm) May 11, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters High
CVE-2026-6322 was published for fast-uri (npm) May 8, 2026
Jvr2022 Credited to Jvr2022, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass High
CVE-2026-42551 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters Moderate
CVE-2026-30246 was published for github.com/gofiber/fiber/v3 (Go) Apr 28, 2026
xeloxa Credited to xeloxa, gaby, and ReneWerner87 gaby gaby
ReneWerner87 ReneWerner87
Heimdall has an authorization bypass via path normalization mismatch High
CVE-2026-42274 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass High
CVE-2026-42273 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
CVE-2026-42272 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option High
CVE-2026-33804 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, climba03003, and UlisesGascon mcollina mcollina
climba03003 climba03003 UlisesGascon UlisesGascon
Official Clerk JavaScript SDKs: Middleware-based route protection bypass Critical
CVE-2026-41248 was published for @clerk/astro (npm) Apr 16, 2026
YouGina Credited to YouGina
ProTip! Advisories are also available from the GraphQL API