Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,023
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

975 advisories

Loading
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints Moderate
GHSA-664h-gpgq-h6xx was published for n8n (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Gitea: Token scope bypass on web archive download endpoint Moderate
CVE-2026-20706 was published for code.gitea.io/gitea (Go) Jun 16, 2026
geoo115 Credited to geoo115
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens High
CVE-2026-28744 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ohxorud-dev Credited to ohxorud-dev and lunny lunny lunny
n8n: Credential Exfiltration via Permission Bypass High
CVE-2026-54307 was published for n8n (npm) Jun 16, 2026
n8n: Public API Execution Retry Authorization Bypass Moderate
GHSA-h3jj-5f3v-3685 was published for n8n (npm) Jun 16, 2026
ksw9722 Credited to ksw9722
Daytona: Public sandbox previews remain accessible for up to one hour after being made private High
CVE-2026-54321 was published for github.com/daytonaio/daytona (Go) Jun 16, 2026
mrknight-n1du Credited to mrknight-n1du
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access Moderate
CVE-2026-49983 was published for deno (Rust) Jun 16, 2026
fallintoplace Credited to fallintoplace
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher High
CVE-2026-53721 was published for nuxt (npm) Jun 16, 2026
Nest: Middleware Bypass on Fastify via Trailing Slash High
CVE-2026-54281 was published for @nestjs/platform-fastify (npm) Jun 15, 2026
a-tt-om Credited to a-tt-om and kamilmysliwiec kamilmysliwiec kamilmysliwiec
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes High
CVE-2026-48489 was published for symfony/security-http (Composer) Jun 15, 2026
a-tt-om Credited to a-tt-om, teebow1e, and nicolas-grekas teebow1e teebow1e
nicolas-grekas nicolas-grekas
File Browser has incorrect access control for public directory shares via rule path rebasing High
CVE-2026-54091 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection High
CVE-2026-48113 was published for github.com/jpillora/chisel (Go) Jun 12, 2026
mzfr Credited to mzfr
DevGuard has improper authorization on public assets High
CVE-2026-48089 was published for github.com/l3montree-dev/devguard (Go) Jun 11, 2026
philipflohr Credited to philipflohr
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation Critical
CVE-2026-47407 was published for praisonai-platform (pip) May 29, 2026
spbavarva Credited to spbavarva
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders High
CVE-2026-47231 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders Moderate
CVE-2026-47230 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` Moderate
CVE-2026-47227 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
CAPM3 vulnerable to Cross-Namespace resource access Moderate
GHSA-rf84-wr5g-m3rp was published for github.com/metal3-io/cluster-api-provider-metal3 (Go) May 29, 2026
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement High
CVE-2026-41235 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database