Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

333 advisories

Loading
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes High
CVE-2026-24791 was published for code.gitea.io/gitea (Go) Jun 17, 2026
kamil-sawicki Credited to kamil-sawicki
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration High
CVE-2026-22555 was published for code.gitea.io/gitea (Go) Jun 17, 2026
andrejtomci Credited to andrejtomci
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens High
CVE-2026-28744 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ohxorud-dev Credited to ohxorud-dev and lunny lunny lunny
n8n: Credential Exfiltration via Permission Bypass High
CVE-2026-54307 was published for n8n (npm) Jun 16, 2026
Daytona: Public sandbox previews remain accessible for up to one hour after being made private High
CVE-2026-54321 was published for github.com/daytonaio/daytona (Go) Jun 16, 2026
mrknight-n1du Credited to mrknight-n1du
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher High
CVE-2026-53721 was published for nuxt (npm) Jun 16, 2026
Nest: Middleware Bypass on Fastify via Trailing Slash High
CVE-2026-54281 was published for @nestjs/platform-fastify (npm) Jun 15, 2026
a-tt-om Credited to a-tt-om and kamilmysliwiec kamilmysliwiec kamilmysliwiec
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes High
CVE-2026-48489 was published for symfony/security-http (Composer) Jun 15, 2026
a-tt-om Credited to a-tt-om, teebow1e, and nicolas-grekas teebow1e teebow1e
nicolas-grekas nicolas-grekas
File Browser has incorrect access control for public directory shares via rule path rebasing High
CVE-2026-54091 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection High
CVE-2026-48113 was published for github.com/jpillora/chisel (Go) Jun 12, 2026
mzfr Credited to mzfr
DevGuard has improper authorization on public assets High
CVE-2026-48089 was published for github.com/l3montree-dev/devguard (Go) Jun 11, 2026
philipflohr Credited to philipflohr
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders High
CVE-2026-47231 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement High
CVE-2026-41235 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands High
CVE-2026-48501 was published for github.com/cli/cli/v2 (Go) May 29, 2026
BagToad Credited to BagToad, kommendorkapten, babakks, and nophlyzone kommendorkapten kommendorkapten
babakks babakks nophlyzone nophlyzone
OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL High
CVE-2026-45808 was published for github.com/openbao/openbao (Go) May 28, 2026
fg0x0 Credited to fg0x0
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass High
CVE-2026-43947 was published for fuxa-server (npm) May 26, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue High
CVE-2026-43946 was published for fuxa-server (npm) May 26, 2026
anyzy2003 Credited to anyzy2003
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection High
CVE-2026-43945 was published for @frangoteam/fuxa (npm) May 26, 2026
ud444ng Credited to ud444ng
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement High
CVE-2026-46519 was published for mcp-server-kubernetes (npm) May 21, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database