Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

3,546 advisories

Loading
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in... High Unreviewed
CVE-2026-6406 was published May 26, 2026
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Moderate Unreviewed
CVE-2026-28735 was published May 26, 2026
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment... High Unreviewed
CVE-2026-8350 was published May 21, 2026
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update... High Unreviewed
CVE-2026-47102 was published May 21, 2026
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to... High Unreviewed
CVE-2026-47101 was published May 21, 2026
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) Low
CVE-2026-46635 was published for twig/twig (Composer) May 21, 2026
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation Low
CVE-2026-46549 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement High
CVE-2026-46519 was published for mcp-server-kubernetes (npm) May 21, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against... Moderate Unreviewed
CVE-2026-4055 was published May 21, 2026
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin'... Moderate Unreviewed
CVE-2026-20238 was published May 20, 2026
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None High
GHSA-mw8f-w6p8-xrf4 was published for wger (pip) May 20, 2026
HiyokoSauna37 Credited to HiyokoSauna37
LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command... High Unreviewed
CVE-2026-41470 was published May 19, 2026
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends Moderate
CVE-2026-42526 was published for apache-airflow-providers-amazon (pip) May 19, 2026
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching Moderate
GHSA-gx7w-56w6-g48x was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization Moderate
CVE-2026-45692 was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the... High Unreviewed
CVE-2026-42096 was published May 19, 2026
HCL Connections contains a broken access control vulnerability that may allow unauthorized user... Moderate Unreviewed
CVE-2026-21789 was published May 18, 2026
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows Moderate
CVE-2026-45718 was published for budibase (npm) May 18, 2026
offset Credited to offset
Mattermost doesn't check public/private permissions Moderate
CVE-2026-6343 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid... Moderate Unreviewed
CVE-2026-6342 was published May 18, 2026
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on... Moderate Unreviewed
CVE-2026-6341 was published May 18, 2026
Mattermost doesn't check if {{team_id}} was being changed when updating playbooks Low
CVE-2026-4286 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database