Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,115
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,417
Swift
61
Unreviewed advisories
All unreviewed
5,000+

506 advisories

Loading
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a... Moderate Unreviewed
CVE-2026-13034 was published Jun 24, 2026
Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0... Moderate Unreviewed
CVE-2026-13021 was published Jun 24, 2026
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack Moderate
CVE-2026-46611 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request... Moderate Unreviewed
CVE-2026-54665 was published Jun 22, 2026
Anki's local HTTP server does not sufficiently validate requests High
GHSA-869j-r97x-hx2g was published for aqt (pip) Jun 19, 2026
taviso Credited to taviso
LangSmith SDK TracingMiddleware: Arbitrary server-side file read High
GHSA-f4xh-w4cj-qxq8 was published for langsmith (pip) Jun 19, 2026
Ryu7zz Credited to Ryu7zz
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover High
CVE-2026-55660 was published for @tinacms/app (npm) Jun 19, 2026
kulesy Credited to kulesy
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs Critical
CVE-2026-55791 was published for craftcms/cms (Composer) Jun 19, 2026
seoyoung-kang Credited to seoyoung-kang
Blocky DNSSEC validation bypass and validation-cache scope pollution High
GHSA-x845-2f78-7v36 was published for github.com/0xERR0R/blocky (Go) Jun 19, 2026
RealHurrison Credited to RealHurrison
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure) High
GHSA-v52w-28xh-v562 was published for @kozou/api (npm) Jun 19, 2026
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts Moderate
CVE-2026-55767 was published for guzzlehttp/guzzle (Composer) Jun 19, 2026
iliaal Credited to iliaal
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools High
GHSA-vmf9-xx9w-86wx was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider Moderate
CVE-2026-55669 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, IAM-marco, livio-a, and Punisher100 IAM-marco IAM-marco
livio-a livio-a Punisher100 Punisher100
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit High
CVE-2026-54007 was published for open-webui (pip) Jun 17, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1 Classic298 Classic298
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in... Critical Unreviewed
CVE-2026-12304 was published Jun 16, 2026
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted... High Unreviewed
CVE-2026-47825 was published Jun 15, 2026
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
The Model Context Protocol has a security warning advising servers to validate the "Origin"... Critical Unreviewed
CVE-2026-11624 was published Jun 13, 2026
Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation High
GHSA-j9gf-vw2f-9hrw was published for com.appsmith:server (Maven) Jun 12, 2026
0xmrma Credited to 0xmrma
Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115... Low Unreviewed
CVE-2026-12032 was published Jun 12, 2026
Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1... High Unreviewed
CVE-2026-45173 was published Jun 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database