Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,022
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

84 advisories

Loading
LiteLLM: Authentication Bypass via Host Header Injection Critical
CVE-2026-49468 was published for litellm (pip) Jun 16, 2026
LilThawg29 Credited to LilThawg29
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization... Critical Unreviewed
CVE-2026-36537 was published Jun 15, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload Critical
CVE-2026-48063 was published for @whiskeysockets/baileys (npm) Jun 10, 2026
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate... Critical Unreviewed
CVE-2026-48567 was published Jun 5, 2026
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing. Critical Unreviewed
CVE-2026-8644 was published Jun 1, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation Critical
GHSA-wf8q-wvv8-p8jf was published for @samanhappy/mcphub (npm) May 14, 2026
ibrahmsql Credited to ibrahmsql
SillyTavern has Authentication Bypass via SSO Header Injection Critical
CVE-2026-44649 was published for sillytavern (npm) May 12, 2026
kirakira-dev Credited to kirakira-dev
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation Critical
CVE-2026-27478 was published for io.unitycatalog:unitycatalog-server (Maven) May 11, 2026
lukas-reining Credited to lukas-reining
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user... Critical Unreviewed
CVE-2021-47923 was published May 10, 2026
A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the... Critical Unreviewed
CVE-2026-6213 was published May 8, 2026
Codechecker has an authentication bypass for certain API calls Critical
CVE-2026-25660 was published for codechecker (pip) May 5, 2026
mtolley Credited to mtolley
Sentry's improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-42354 was published for sentry (pip) Apr 30, 2026
jaydns Credited to jaydns
Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows... Critical Unreviewed
CVE-2018-25318 was published Apr 29, 2026
Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows... Critical Unreviewed
CVE-2018-25316 was published Apr 29, 2026
Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness... Critical Unreviewed
CVE-2018-25317 was published Apr 29, 2026
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode Critical
CVE-2026-34457 was published for github.com/oauth2-proxy/oauth2-proxy (Go) Apr 14, 2026
iamnoooob Credited to iamnoooob
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables... Critical Unreviewed
CVE-2025-59706 was published Mar 25, 2026
In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account... Critical Unreviewed
CVE-2025-59707 was published Mar 25, 2026
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects... Critical Unreviewed
CVE-2026-2800 was published Feb 24, 2026
Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to... Critical Unreviewed
CVE-2025-71056 was published Feb 23, 2026
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
CVE-2026-28474 was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen Credited to wodzen
An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and... Critical Unreviewed
CVE-2026-22797 was published Jan 19, 2026
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication... Critical Unreviewed
CVE-2025-11250 was published Jan 13, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database