Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

471 advisories

Loading
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected Moderate
CVE-2026-55636 was published for github.com/projectcapsule/capsule (Go) Jun 17, 2026
character-s Credited to character-s
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join Moderate
CVE-2026-54324 was published for github.com/daytonaio/daytona (Go) Jun 17, 2026
vnth4nhnt Credited to vnth4nhnt
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO Moderate
CVE-2026-54022 was published for open-webui (pip) Jun 17, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter Moderate
CVE-2026-54021 was published for open-webui (pip) Jun 17, 2026
brodmart Credited to brodmart and Classic298 Classic298 Classic298
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints Moderate
GHSA-664h-gpgq-h6xx was published for n8n (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Gitea: Token scope bypass on web archive download endpoint Moderate
CVE-2026-20706 was published for code.gitea.io/gitea (Go) Jun 16, 2026
geoo115 Credited to geoo115
n8n: Public API Execution Retry Authorization Bypass Moderate
GHSA-h3jj-5f3v-3685 was published for n8n (npm) Jun 16, 2026
ksw9722 Credited to ksw9722
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access Moderate
CVE-2026-49983 was published for deno (Rust) Jun 16, 2026
fallintoplace Credited to fallintoplace
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders Moderate
CVE-2026-47230 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` Moderate
CVE-2026-47227 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
CAPM3 vulnerable to Cross-Namespace resource access Moderate
GHSA-rf84-wr5g-m3rp was published for github.com/metal3-io/cluster-api-provider-metal3 (Go) May 29, 2026
nono: Sandbox escape on Linux via D-Bus: `systemd-run --user` Moderate
CVE-2026-47128 was published for nono-cli (Rust) May 28, 2026
cgwalters Credited to cgwalters and NickCao NickCao NickCao
Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability Moderate
CVE-2026-22872 was published for github.com/projectcapsule/capsule (Go) May 28, 2026
b0b0haha Credited to b0b0haha
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] Moderate
CVE-2026-45075 was published for symfony/http-kernel (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends Moderate
CVE-2026-42526 was published for apache-airflow-providers-amazon (pip) May 19, 2026
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching Moderate
GHSA-gx7w-56w6-g48x was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization Moderate
CVE-2026-45692 was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows Moderate
CVE-2026-45718 was published for budibase (npm) May 18, 2026
offset Credited to offset
Mattermost doesn't check public/private permissions Moderate
CVE-2026-6343 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Moderate
CVE-2026-28732 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database