Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

32,526 advisories

Loading
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host Moderate
CVE-2026-47076 was published for hackney (Erlang) Jun 26, 2026
Ganbagana Credited to Ganbagana and maennchen maennchen maennchen
Hackney has CRLF / header injection via unvalidated `domain` and `path` options Low
CVE-2026-47069 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney: `ssl:connect/2` post-handshake upgrade has no timeout High
CVE-2026-47071 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry High
CVE-2026-47066 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication High
CVE-2026-49357 was published for line-desktop-mcp (npm) Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile Moderate
CVE-2026-48995 was published for pnpm (npm) Jun 26, 2026
dsherret Credited to dsherret
Cargo crates in third party registries can override the cached source of other crates Moderate
CVE-2026-5223 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, emilyalbini, cuviper, and Manishearth arlosi arlosi
emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
Cargo can be coerced to share credentials between registries Low
CVE-2026-5222 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, weihanglo, ehuss, emilyalbini, cuviper, and Manishearth arlosi arlosi
weihanglo weihanglo ehuss ehuss emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc) High
CVE-2026-49260 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete) High
CVE-2026-49258 was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call High
CVE-2026-49291 was published for mcp-memory-service (pip) Jun 26, 2026
DavidCarliez Credited to DavidCarliez
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers Moderate
GHSA-75mw-h36v-2jv7 was published for dosage (pip) Jun 26, 2026
yueyueL Credited to yueyueL
Scriban: ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p) Moderate
GHSA-6q7j-xr26-3h2c was published for Scriban (NuGet) Jun 26, 2026
MindflareX Credited to MindflareX
Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx Moderate
GHSA-q6rr-fm2g-g5x8 was published for Scriban (NuGet) Jun 26, 2026
MindflareX Credited to MindflareX
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction Low
GHSA-v2jf-442r-6mjh was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs Moderate
GHSA-q683-8468-r6h6 was published for web-auth/webauthn-symfony-bundle (Composer) Jun 26, 2026
CakePHP: View::element() is missing a path containment check Moderate
CVE-2026-48820 was published for cakephp/cakephp (Composer) Jun 26, 2026
z3moo Credited to z3moo, get-wright, markstory, and dereuromark get-wright get-wright
markstory markstory dereuromark dereuromark
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server High
GHSA-3p34-w4f6-5xh2 was published for better-helperjs (npm) Jun 26, 2026
TurboRigby Credited to TurboRigby
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database