GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
31,787 advisories
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
High
CVE-2026-54328
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Low
CVE-2026-54327
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Laravel Framework: Temporary Signed URL Path Confusion
Moderate
GHSA-crmm-hgp2-wgrp
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Laravel Framework: CRLF injection in default email rule
High
GHSA-5vg9-5847-vvmq
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Low
CVE-2026-54326
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 16, 2026
Gitea: Token scope bypass on web archive download endpoint
Moderate
CVE-2026-20706
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Missing repository-unit authorization on issue-template API endpoints
Moderate
CVE-2026-27783
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Moderate
CVE-2026-25714
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo
High
CVE-2026-26231
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
High
CVE-2026-28699
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Critical
CVE-2026-49980
was published
for
github.com/rclone/rclone
(Go)
Jun 16, 2026
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Moderate
CVE-2026-49993
was published
for
@nuxt/rspack-builder
(npm)
Jun 16, 2026
Cross-site scripting via <NoScript> slot content in Nuxt's head components
Low
GHSA-m3q2-p4fw-w38m
was published
for
nuxt
(npm)
Jun 16, 2026
LiteLLM: Authentication Bypass via Host Header Injection
Critical
CVE-2026-49468
was published
for
litellm
(pip)
Jun 16, 2026
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
High
CVE-2026-28744
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
High
CVE-2026-54304
was published
for
n8n
(npm)
Jun 16, 2026
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
High
CVE-2026-54309
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
High
CVE-2026-54305
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Public API Execution Retry Authorization Bypass
Moderate
GHSA-h3jj-5f3v-3685
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Python Code Node AST Validator Bypass
Moderate
GHSA-jwm3-qcfw-c5pp
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
Moderate
CVE-2026-54303
was published
for
n8n
(npm)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API