GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
84 advisories
Filter by severity
HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to...
Moderate
Unreviewed
CVE-2026-56458
was published
Jul 9, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
A malicious actor who lures an authenticated user to a malicious page could exploit a Cross...
High
Unreviewed
CVE-2026-55110
was published
Jul 2, 2026
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin...
Moderate
Unreviewed
CVE-2026-12084
was published
Jun 30, 2026
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration...
Low
Unreviewed
CVE-2026-57957
was published
Jun 29, 2026
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
High
CVE-2026-46608
was published
for
glances
(pip)
Jun 22, 2026
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI...
High
Unreviewed
CVE-2026-56076
was published
Jun 19, 2026
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
High
CVE-2026-54290
was published
for
hono
(npm)
Jun 16, 2026
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test...
High
Unreviewed
CVE-2026-50088
was published
Jun 12, 2026
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing...
High
Unreviewed
CVE-2026-50087
was published
Jun 12, 2026
CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when...
High
Unreviewed
CVE-2026-10056
was published
May 29, 2026
MCP Toolbox for Databases vulnerable to DNS rebinding attacks
Critical
CVE-2026-9739
was published
for
github.com/googleapis/mcp-toolbox
(Go)
May 28, 2026
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
Moderate
GHSA-m837-xvxr-vqwg
was published
for
flowise
(npm)
May 20, 2026
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *
Moderate
CVE-2026-46431
was published
for
github.com/xyproto/algernon
(Go)
May 20, 2026
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in...
Critical
Unreviewed
CVE-2026-8948
was published
May 19, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Moderate
GHSA-9v4j-7g44-qcqw
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778...
Moderate
Unreviewed
CVE-2026-8576
was published
May 14, 2026
Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168...
Moderate
Unreviewed
CVE-2026-8537
was published
May 14, 2026
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Moderate
CVE-2026-45021
was published
for
github.com/kumahq/kuma
(Go)
May 14, 2026
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
High
CVE-2026-44895
was published
for
@yoda.digital/gitlab-mcp-server
(npm)
May 9, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
High
CVE-2026-34839
was published
for
Glances
(pip)
Apr 21, 2026
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
High
CVE-2026-41056
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
High
GHSA-x462-jjpc-q4q4
was published
for
praisonaiagents
(pip)
Apr 10, 2026
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote...
Moderate
Unreviewed
CVE-2026-5302
was published
Apr 8, 2026
ProTip!
Advisories are also available from the
GraphQL API