GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access
Moderate
CVE-2026-52828
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation
Moderate
CVE-2026-52826
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
Moderate
CVE-2026-52825
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
Critical
CVE-2026-52824
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
Moderate
CVE-2026-52823
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
Moderate
CVE-2026-52822
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
Moderate
CVE-2026-52821
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Moderate
CVE-2026-52820
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
Moderate
CVE-2026-52819
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
Moderate
CVE-2026-49992
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks
Moderate
GHSA-8f6j-263m-g72x
was published
for
app-store-server-library
(pip)
Jul 13, 2026
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS
High
GHSA-xf7x-x43h-rpqh
was published
for
json-repair
(pip)
Jul 13, 2026
FacturaScripts: Account takeover of any 2FA-enabled user
Critical
CVE-2026-47677
was published
for
facturascripts/facturascripts
(Composer)
Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service
High
GHSA-7xw9-549r-8jrc
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC: Pilot code downloaded over unverified HTTPS connection
High
CVE-2026-61668
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval
Critical
CVE-2026-61667
was published
for
DIRAC
(pip)
Jul 13, 2026
Apollo ConfigService access key authentication bypass via raw config file appId parsing
High
CVE-2026-59955
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
High
CVE-2026-59954
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
NukeViet: Pre-authentication SSRF via X-Forwarded-Host
High
CVE-2026-55372
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
High
CVE-2026-54065
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
High
CVE-2026-54064
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
High
CVE-2026-49259
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Unauthenticated Reflected XSS in Comment Module
High
CVE-2026-48118
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input
Critical
CVE-2026-45579
was published
for
DIRAC
(pip)
Jul 13, 2026
ProTip!
Advisories are also available from the
GraphQL API