Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,087
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

161,457 advisories

Loading
zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet Moderate
CVE-2026-48487 was published for zeroconf (pip) Jun 22, 2026
devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs Moderate
GHSA-hvqh-jw65-wcpq was published for devbridge-autocomplete (npm) Jun 22, 2026
junowilderness Credited to junowilderness
nebula-mesh's stores enrollment tokens unhashed in SQLite Moderate
GHSA-ghmh-jhmj-wcmf was published for github.com/juev/nebula-mesh (Go) Jun 22, 2026
ak2k Credited to ak2k
Gogs has SSRF in webhook deliveries Moderate
CVE-2026-47267 was published for gogs.io/gogs (Go) Jun 22, 2026
snyff Credited to snyff
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets Moderate
CVE-2026-46700 was published for @actual-app/sync-server (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper Moderate
CVE-2026-46672 was published for @actual-app/cli (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack Moderate
CVE-2026-46611 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application... Moderate Unreviewed
CVE-2026-10852 was published Jun 22, 2026
Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain a Use of Default... Moderate Unreviewed
CVE-2026-44273 was published Jun 22, 2026
Paymenter has broken object level authorization via service reference manipulation on ticket creation Moderate
CVE-2026-44585 was published for paymenter/paymenter (Composer) Jun 22, 2026
ljskatt Credited to ljskatt and CorwinDev CorwinDev CorwinDev
Paymenter doesn't reset email verification status after email change Moderate
CVE-2026-44584 was published for paymenter/paymenter (Composer) Jun 22, 2026
ljskatt Credited to ljskatt and CorwinDev CorwinDev CorwinDev
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module Moderate
CVE-2026-44583 was published for paymenter/paymenter (Composer) Jun 22, 2026
boomerangBS Credited to boomerangBS and CorwinDev CorwinDev CorwinDev
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive Moderate
CVE-2026-44517 was published for github.com/containers/buildah (Go) Jun 22, 2026
eriksjolund Credited to eriksjolund
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice` Moderate
CVE-2026-44202 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 22, 2026
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data Moderate
CVE-2026-33731 was published for wwbn/avideo (Composer) Jun 22, 2026
offset Credited to offset
Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the... Moderate Unreviewed
CVE-2026-11994 was published Jun 22, 2026
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0... Moderate Unreviewed
CVE-2026-9320 was published Jun 22, 2026
IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in... Moderate Unreviewed
CVE-2026-7253 was published Jun 22, 2026
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is... Moderate Unreviewed
CVE-2026-8059 was published Jun 22, 2026
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 allows an... Moderate Unreviewed
CVE-2026-8636 was published Jun 22, 2026
A Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine... Moderate Unreviewed
CVE-2026-8934 was published Jun 22, 2026
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are... Moderate Unreviewed
CVE-2026-12725 was published Jun 22, 2026
Lack of authentication when using the "snapshot diff" functions in qSnapper before version 1.3.3... Moderate Unreviewed
CVE-2026-41047 was published Jun 22, 2026
The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific... Moderate Unreviewed
CVE-2026-12549 was published Jun 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database