Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
`exploration` was removed from crates.io for malicious code Critical
GHSA-99j7-fhr2-xfj4 was published for exploration (Rust) Jul 10, 2026
Lechu69 Credited to Lechu69
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist Critical
CVE-2026-54069 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
oduoke567 Credited to oduoke567
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
0xmrma Credited to 0xmrma
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS) High
CVE-2026-54063 was published for github.com/xuri/excelize/v2 (Go) Jul 10, 2026
EQSTLab Credited to EQSTLab
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Critical
CVE-2026-54072 was published for github.com/authorizerdev/authorizer (Go) Jul 10, 2026
morimori-dev Credited to morimori-dev
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() Critical
CVE-2026-54067 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 High
CVE-2026-54066 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
aslein1413-sys Credited to aslein1413-sys
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826) Moderate
GHSA-489g-7rxv-6c8q was published for mcp-atlassian (pip) Jul 10, 2026
daniel-mertz Credited to daniel-mertz
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies Moderate
CVE-2026-49977 was published for tarteaucitronjs (npm) Jul 10, 2026
Rudloff Credited to Rudloff
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays High
CVE-2026-49866 was published for @libp2p/gossipsub (npm) Jul 10, 2026
tahaafarooq Credited to tahaafarooq
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs Moderate
CVE-2026-49865 was published for kimai/kimai (Composer) Jul 10, 2026
Mitchell45 Credited to Mitchell45
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
tillmon Credited to tillmon and soyuka soyuka soyuka
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values Low
CVE-2026-48598 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla vulnerable to atom exhaustion via untrusted URL scheme High
CVE-2026-48597 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering High
CVE-2026-48595 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla has decompression bomb on response body High
CVE-2026-48594 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param` Low
CVE-2026-48596 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Mistune: Potential DoS via quadratic-time parsing in parse_link_text High
CVE-2026-49851 was published for mistune (pip) Jul 9, 2026
bhanugoudm041 Credited to bhanugoudm041
GoBGP confederation validation panics on empty AS_PATH attribute Moderate
CVE-2026-49838 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
acorn421 Credited to acorn421 and hibrian827 hibrian827 hibrian827
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries Moderate
CVE-2026-49837 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
leo123-all Credited to leo123-all
ProTip! Advisories are also available from the GraphQL API