Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31,787 advisories

Loading
CakePHP Authentication: Open redirect weakness via backslash bypass Moderate
CVE-2026-55590 was published for cakephp/authentication (Composer) Jun 17, 2026
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation Critical
CVE-2026-55518 was published for avo (RubyGems) Jun 17, 2026
xIllunight Credited to xIllunight and Paul-Bob Paul-Bob Paul-Bob
Deno: Denial of service via non-ASCII bytes in WebSocket response headers Moderate
CVE-2026-55517 was published for deno (Rust) Jun 17, 2026
snoopysecurity Credited to snoopysecurity
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory Critical
CVE-2026-55471 was published for ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven) Jun 17, 2026
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS High
CVE-2026-55470 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
handlebars.java FileTemplateLoader Path Traversal High
CVE-2026-55760 was published for com.github.jknack:handlebars (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
Filament: Disabled RichEditor field state can be used for XSS High
CVE-2026-55409 was published for filament/forms (Composer) Jun 17, 2026
mike197312 Credited to mike197312 and danharrin danharrin danharrin
LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector High
CVE-2026-55405 was published for dev.langchain4j:langchain4j-mariadb (Maven) Jun 17, 2026
v9d0g Credited to v9d0g and oscarpg oscarpg oscarpg
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected Moderate
CVE-2026-55636 was published for github.com/projectcapsule/capsule (Go) Jun 17, 2026
character-s Credited to character-s
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads Moderate
CVE-2026-5038 was published for multer (npm) Jun 17, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, HamdaanAliQuatil, fasrm, UlisesGascon, bjohansebas, 0xStraw-Hat, bhaswanthc, ByamB4, sbouabid-sec, DavidCarliez, and JebeenLee HamdaanAliQuatil HamdaanAliQuatil
fasrm fasrm UlisesGascon UlisesGascon bjohansebas bjohansebas 0xStraw-Hat 0xStraw-Hat bhaswanthc bhaswanthc ByamB4 ByamB4 sbouabid-sec sbouabid-sec DavidCarliez DavidCarliez JebeenLee JebeenLee
Gitea: Open Redirect via redirect_to Moderate
CVE-2026-25779 was published for github.com/go-gitea/gitea (Go) Jun 17, 2026
quirmz Credited to quirmz
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer High
CVE-2026-28737 was published for code.gitea.io/gitea (Go) Jun 17, 2026
yonatan-pl Credited to yonatan-pl
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes High
CVE-2026-24791 was published for code.gitea.io/gitea (Go) Jun 17, 2026
kamil-sawicki Credited to kamil-sawicki
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration High
CVE-2026-22555 was published for code.gitea.io/gitea (Go) Jun 17, 2026
andrejtomci Credited to andrejtomci
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join Moderate
CVE-2026-54324 was published for github.com/daytonaio/daytona (Go) Jun 17, 2026
vnth4nhnt Credited to vnth4nhnt
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch Moderate
CVE-2026-54316 was published for @anthropic-ai/claude-code (npm) Jun 17, 2026
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO Moderate
CVE-2026-54022 was published for open-webui (pip) Jun 17, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter Moderate
CVE-2026-54021 was published for open-webui (pip) Jun 17, 2026
brodmart Credited to brodmart and Classic298 Classic298 Classic298
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode Moderate
CVE-2026-54019 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n and Classic298 Classic298 Classic298
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects High
CVE-2026-54018 was published for open-webui (pip) Jun 17, 2026
POV9en Credited to POV9en and Classic298 Classic298 Classic298
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal High
CVE-2026-54017 was published for open-webui (pip) Jun 17, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa, sermikr0, and Classic298 sermikr0 sermikr0
Classic298 Classic298
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin High
CVE-2026-53840 was published for openclaw (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database