GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
362 advisories
Filter by severity
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
High
GHSA-j8v8-g9cx-5qf4
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
EGroupware has a Remote Code Execution Vulnerability
Critical
CVE-2026-27823
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
High
CVE-2026-55429
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
High
CVE-2026-54641
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation
Low
GHSA-j5mc-p8qg-39j7
was published
for
kimai/kimai
(Composer)
Jul 2, 2026
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
High
CVE-2026-50194
was published
for
Steeltoe.Management.Endpoint
(NuGet)
Jul 2, 2026
Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)
High
GHSA-f9ff-5x35-7gfw
was published
for
@grackle-ai/auth
(npm)
Jul 2, 2026
Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
Moderate
CVE-2026-50283
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
SurrealDB has an Authorization Bypass via Composite Record-id Paths
Moderate
GHSA-6vg3-hgrw-p5gf
was published
for
surrealdb
(Rust)
Jul 1, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
High
CVE-2026-47198
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
High
CVE-2026-49338
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists
High
CVE-2026-49339
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check
Critical
GHSA-q6xx-5vr8-p898
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings
High
GHSA-7vfx-4246-jcfh
was published
for
solidinvoice/solidinvoice
(Composer)
Jun 26, 2026
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)
High
CVE-2026-49258
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 26, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise
Critical
CVE-2026-55166
was published
for
lemur
(pip)
Jun 25, 2026
OpenAM Arbitrary OAuth Token Minting via Push Registration
High
CVE-2026-46498
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 25, 2026
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
Moderate
CVE-2026-55482
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Gogs: LFS dedupe path leaks private repo content across tenants
High
CVE-2026-52812
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Gogs Missing Authorization in Attachment Download
High
CVE-2026-52799
was published
for
gogs.io/gogs
(Go)
Jun 22, 2026
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
Critical
CVE-2026-57168
was published
for
io.openremote:openremote-manager
(Maven)
Jun 19, 2026
stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)
High
GHSA-xhv3-q4xx-349r
was published
for
stigmem-node
(pip)
Jun 19, 2026
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)
High
GHSA-x26h-xmv8-gxf7
was published
for
stigmem-node
(pip)
Jun 19, 2026
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
High
CVE-2026-55255
was published
for
langflow
(pip)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API