Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,085
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,413
Swift
61
Unreviewed advisories
All unreviewed
5,000+

32,216 advisories

Loading
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets Moderate
CVE-2026-46700 was published for @actual-app/sync-server (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper Moderate
CVE-2026-46672 was published for @actual-app/cli (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack Moderate
CVE-2026-46611 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) High
CVE-2026-46608 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution High
CVE-2026-46607 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py High
CVE-2026-46606 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI Critical
CVE-2026-46495 was published for org.openidentityplatform.opendj:opendj-server-legacy (Maven) Jun 22, 2026
wodzen Credited to wodzen
motionEye: Authentication possible via password hash Critical
CVE-2026-46488 was published for motioneye (pip) Jun 22, 2026
FireByteApplications Credited to FireByteApplications, 0xLynk, dimashn04, C4spr0x1A, sighnwaive, MichaIng, Marijn0, and zagrim 0xLynk 0xLynk
dimashn04 dimashn04 C4spr0x1A C4spr0x1A sighnwaive sighnwaive MichaIng MichaIng Marijn0 Marijn0 zagrim zagrim
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types High
CVE-2026-44795 was published for io.spinnaker.orca:orca-core (Maven) Jun 22, 2026
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget` Low
CVE-2026-44793 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00
Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected) Low
CVE-2026-44778 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Jun 22, 2026
Paymenter has broken object level authorization via service reference manipulation on ticket creation Moderate
CVE-2026-44585 was published for paymenter/paymenter (Composer) Jun 22, 2026
ljskatt Credited to ljskatt and CorwinDev CorwinDev CorwinDev
Paymenter doesn't reset email verification status after email change Moderate
CVE-2026-44584 was published for paymenter/paymenter (Composer) Jun 22, 2026
ljskatt Credited to ljskatt and CorwinDev CorwinDev CorwinDev
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module Moderate
CVE-2026-44583 was published for paymenter/paymenter (Composer) Jun 22, 2026
boomerangBS Credited to boomerangBS and CorwinDev CorwinDev CorwinDev
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive Moderate
CVE-2026-44517 was published for github.com/containers/buildah (Go) Jun 22, 2026
eriksjolund Credited to eriksjolund
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl) Critical
CVE-2026-44203 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00 and wodzen wodzen wodzen
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice` Moderate
CVE-2026-44202 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 22, 2026
xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro Critical
CVE-2026-44179 was published for com.xwiki.pro:xwiki-pro-macros (Maven) Jun 22, 2026
michitux Credited to michitux
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
OpenAM has LDAP Injection via `_queryId` Parameter High
CVE-2026-41573 was published for org.openidentityplatform.openam:openam-core-rest (Maven) Jun 22, 2026
nn0nkey Credited to nn0nkey
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data Moderate
CVE-2026-33731 was published for wwbn/avideo (Composer) Jun 22, 2026
offset Credited to offset
ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420) High
CVE-2025-67303 was published for comfyui-manager (pip) Jun 22, 2026
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration High
CVE-2026-33692 was published for wwbn/avideo (Composer) Jun 22, 2026
morimori-dev Credited to morimori-dev
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions Moderate
CVE-2026-33684 was published for wwbn/avideo (Composer) Jun 22, 2026
offset Credited to offset
Mise Vulnerable to Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass) Critical
CVE-2026-33646 was published for mise (Rust) Jun 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database