Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,613 advisories

Loading
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload... Critical Unreviewed
CVE-2026-56290 was published Jun 29, 2026
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers... High Unreviewed
CVE-2026-49049 was published Jun 29, 2026
A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown... Moderate Unreviewed
CVE-2026-13553 was published Jun 29, 2026
A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue... Moderate Unreviewed
CVE-2026-13547 was published Jun 29, 2026
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to... Moderate Unreviewed
CVE-2026-50739 was published Jun 26, 2026
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API... Moderate Unreviewed
CVE-2026-50744 was published Jun 26, 2026
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket... Low Unreviewed
CVE-2026-48936 was published Jun 26, 2026
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent... Moderate Unreviewed
CVE-2026-48930 was published Jun 26, 2026
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context... Moderate Unreviewed
CVE-2026-48928 was published Jun 26, 2026
GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion Moderate
CVE-2026-48529 was published for github.com/github/github-mcp-server (Go) Jun 25, 2026
hewei-gikaku Credited to hewei-gikaku, matte1782, kerobbi, and JoannaaKL matte1782 matte1782
kerobbi kerobbi JoannaaKL JoannaaKL
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting... Moderate Unreviewed
CVE-2026-56050 was published Jun 25, 2026
Dell Display and Peripheral Manager (DDPM Windows), versions prior to 2.3, contain an Improper... High Unreviewed
CVE-2026-46733 was published Jun 25, 2026
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should... High Unreviewed
CVE-2026-12490 was published Jun 25, 2026
A missing access control check when invoking various modify methods in the XML‑RPC API of Revive... Moderate Unreviewed
CVE-2026-44957 was published Jun 23, 2026
An access control bypass allows an advertiser‑level user to activate or deactivate a banner in... Moderate Unreviewed
CVE-2026-44958 was published Jun 23, 2026
A missing access control check when linking banners or campaigns to a zone through the zone... Moderate Unreviewed
CVE-2026-34912 was published Jun 23, 2026
A missing access control check when linking trackers to campaigns through the campaign-trackers... Moderate Unreviewed
CVE-2026-34913 was published Jun 23, 2026
HCL Connections contains a broken access control vulnerability that may allow an unauthorized... Low Unreviewed
CVE-2025-15619 was published Jun 23, 2026
Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion High
CVE-2026-52810 was published for gogs.io/gogs (Go) Jun 23, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF High
CVE-2026-50132 was published for @budibase/server (npm) Jun 22, 2026
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint Moderate
CVE-2026-31978 was published for motioneye (pip) Jun 22, 2026
Neosprings Credited to Neosprings, blue-pho3nix, and MichaIng blue-pho3nix blue-pho3nix
MichaIng MichaIng
OpenCTI May Bypass Introspection Restriction Moderate
CVE-2024-37155 was published for pycti (pip) Jun 22, 2026
R-s0n Credited to R-s0n
The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run... Critical Unreviewed
CVE-2026-28381 was published Jun 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database