Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,022
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,380 advisories

Loading
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host High
CVE-2026-54304 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High
CVE-2026-54305 was published for n8n (npm) Jun 16, 2026
Solidscripting Credited to Solidscripting
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution High
GHSA-f989-c77f-r2cq was published for crawl4ai (pip) Jun 16, 2026
geo-chen Credited to geo-chen
yt-dlp: File Downloader cookie leak with curl Moderate
CVE-2026-50019 was published for yt-dlp (pip) Jun 16, 2026
seproDev Credited to seproDev, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json` Low
GHSA-rq7w-g337-39qq was published for nuxt (npm) Jun 15, 2026
manop55555 Credited to manop55555
Netty: QUIC stateless reset token material exposed through header-visible connection IDs Moderate
CVE-2026-50009 was published for io.netty:netty-codec-classes-quic (Maven) Jun 15, 2026
violetagg Credited to violetagg
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse Moderate
GHSA-pw6j-qg29-8w7f was published for tornado (pip) Jun 15, 2026
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges Moderate
CVE-2026-54276 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker High
CVE-2026-54264 was published for @angular/service-worker (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, JeanMeche, and josephperrott alan-agius4 alan-agius4
JeanMeche JeanMeche josephperrott josephperrott
vite: `server.fs.deny` bypass on Windows alternate paths High
CVE-2026-53571 was published for vite (npm) Jun 15, 2026
TazmiDev Credited to TazmiDev, 332QAQ, and ArnaudBarre 332QAQ 332QAQ
ArnaudBarre ArnaudBarre
@babel/core: Arbitrary File Read via sourceMappingURL Comment Low
CVE-2026-49356 was published for @babel/core (npm) Jun 15, 2026
radoi-teodor Credited to radoi-teodor, JLHwung, nicolo-ribaudo, and liuxingbaoyu JLHwung JLHwung
nicolo-ribaudo nicolo-ribaudo liuxingbaoyu liuxingbaoyu
@angular/service-worker: Request Credential & Cache Policy Stripping Moderate
CVE-2026-50184 was published for @angular/service-worker (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, josephperrott, AndrewKushnir, alan-agius4, and JeanMeche josephperrott josephperrott
AndrewKushnir AndrewKushnir alan-agius4 alan-agius4 JeanMeche JeanMeche
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities Moderate
CVE-2026-50169 was published for @angular/service-worker (npm) Jun 15, 2026
Yenya030 Credited to Yenya030, alan-agius4, JeanMeche, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
JeanMeche JeanMeche josephperrott josephperrott AndrewKushnir AndrewKushnir
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint Moderate
CVE-2026-46371 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint Moderate
CVE-2026-46370 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Media Module High
CVE-2026-49742 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS: Broken Access Control in Media Module Moderate
CVE-2026-47351 was published for typo3/cms-backend (Composer) Jun 12, 2026
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS High
CVE-2026-48050 was published for github.com/basekick-labs/arc (Go) Jun 11, 2026
NeuroWinter Credited to NeuroWinter
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects Moderate
CVE-2026-48022 was published for @hapi/wreck (npm) Jun 11, 2026
SnailSploit Credited to SnailSploit
Element Call reports full URLs of visited pages to analytics server High
CVE-2026-48007 was published for @element-hq/element-call-embedded (npm) Jun 11, 2026
Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration Moderate
CVE-2026-47751 was published for anthropics/claude-code-action (GitHub Actions) Jun 10, 2026
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks High
CVE-2026-47735 was published for github.com/basekick-labs/arc (Go) Jun 8, 2026
NeuroWinter Credited to NeuroWinter
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database