Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

362 advisories

Loading
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers Critical
CVE-2026-53552 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers High
GHSA-j8v8-g9cx-5qf4 was published for @better-auth/scim (npm) Jul 7, 2026
Jvr2022 Credited to Jvr2022
EGroupware has a Remote Code Execution Vulnerability Critical
CVE-2026-27823 was published for egroupware/egroupware (Composer) Jul 7, 2026
realalphaman Credited to realalphaman
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID High
CVE-2026-55429 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl High
CVE-2026-54641 was published for io.openremote:openremote-manager (Maven) Jul 6, 2026
geo-chen Credited to geo-chen
Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation Low
GHSA-j5mc-p8qg-39j7 was published for kimai/kimai (Composer) Jul 2, 2026
Mitchell45 Credited to Mitchell45
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header High
CVE-2026-50194 was published for Steeltoe.Management.Endpoint (NuGet) Jul 2, 2026
Craft CMS: Unauthorized Deletion of Source Assets During File Replacement Moderate
CVE-2026-50283 was published for craftcms/cms (Composer) Jul 2, 2026
davidbors-snyk Credited to davidbors-snyk and cataliniovita-snyk cataliniovita-snyk cataliniovita-snyk
SurrealDB has an Authorization Bypass via Composite Record-id Paths Moderate
GHSA-6vg3-hgrw-p5gf was published for surrealdb (Rust) Jul 1, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout High
CVE-2026-47198 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) High
CVE-2026-49338 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Critical
GHSA-q6xx-5vr8-p898 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete) High
CVE-2026-49258 was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
OpenAM Arbitrary OAuth Token Minting via Push Registration High
CVE-2026-46498 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 25, 2026
wodzen Credited to wodzen
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update Moderate
CVE-2026-55482 was published for snipe/snipe-it (Composer) Jun 23, 2026
TristanInSec Credited to TristanInSec
Gogs: LFS dedupe path leaks private repo content across tenants High
CVE-2026-52812 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
Gogs Missing Authorization in Attachment Download High
CVE-2026-52799 was published for gogs.io/gogs (Go) Jun 22, 2026
odgrso Credited to odgrso
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete) Critical
CVE-2026-57168 was published for io.openremote:openremote-manager (Maven) Jun 19, 2026
Forklit Credited to Forklit and vladkoniakhinmob vladkoniakhinmob vladkoniakhinmob
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA) High
GHSA-x26h-xmv8-gxf7 was published for stigmem-node (pip) Jun 19, 2026
yzeirnials Credited to yzeirnials, andifilhohub, LeftenantZero, Zwique, AntonioABLima, erichare, and Adam-Aghili andifilhohub andifilhohub
LeftenantZero LeftenantZero Zwique Zwique AntonioABLima AntonioABLima erichare erichare Adam-Aghili Adam-Aghili
ProTip! Advisories are also available from the GraphQL API