Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

533 advisories

Loading
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay Moderate
CVE-2026-45074 was published for symfony/security-http (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator High
CVE-2026-45063 was published for symfony/security-http (Composer) May 27, 2026
An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an... High Unreviewed
CVE-2026-8676 was published May 26, 2026
Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local... High Unreviewed
CVE-2018-25361 was published May 26, 2026
Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and... Moderate Unreviewed
CVE-2026-8961 was published May 19, 2026
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151. High Unreviewed
CVE-2026-8960 was published May 19, 2026
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151. High Unreviewed
CVE-2026-8963 was published May 19, 2026
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in... Moderate Unreviewed
CVE-2026-8951 was published May 19, 2026
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An... High Unreviewed
CVE-2026-7507 was published May 19, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation Critical
GHSA-wf8q-wvv8-p8jf was published for @samanhappy/mcphub (npm) May 14, 2026
ibrahmsql Credited to ibrahmsql
Fleet: IP spoofing allows bypassing API rate limiting Moderate
CVE-2026-46356 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass High
CVE-2026-24899 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
Fleet has a rate limiting bypass via untrusted client IP headers Moderate
CVE-2026-24000 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker... Moderate Unreviewed
CVE-2026-40460 was published May 13, 2026
SillyTavern has Authentication Bypass via SSO Header Injection Critical
CVE-2026-44649 was published for sillytavern (npm) May 12, 2026
kirakira-dev Credited to kirakira-dev
A file quarantine bypass was addressed with additional checks. This issue is fixed in iOS 18.7.9... High Unreviewed
CVE-2026-28954 was published May 11, 2026
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user... High Unreviewed
CVE-2026-45223 was published May 11, 2026
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation Critical
CVE-2026-27478 was published for io.unitycatalog:unitycatalog-server (Maven) May 11, 2026
lukas-reining Credited to lukas-reining
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user... Critical Unreviewed
CVE-2021-47923 was published May 10, 2026
A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the... Critical Unreviewed
CVE-2026-6213 was published May 8, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
GHSA-35vf-vw9f-q3cr was published for openclaw (npm) May 6, 2026 withdrawn
Codechecker has an authentication bypass for certain API calls Critical
CVE-2026-25660 was published for codechecker (pip) May 5, 2026
mtolley Credited to mtolley
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
CVE-2026-44118 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Sentry's improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-42354 was published for sentry (pip) Apr 30, 2026
jaydns Credited to jaydns
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database