Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
OneRingBuf has a Use After Free Vulnerability Moderate
GHSA-q95x-7g78-rccv was published for oneringbuf (Rust) Jul 8, 2026
DSpace: Path Traversal is possible through LDN message generation Moderate
CVE-2026-49833 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace: ORE resource URI does not validate scheme for non-web resources Moderate
CVE-2026-49830 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path Moderate
CVE-2026-49831 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN High
CVE-2026-49832 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler Moderate
GHSA-mxwc-wh95-pw4g was published for trapster (pip) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Sharp Missing Authorization Check in Quick Creation Command Endpoints Moderate
CVE-2026-53634 was published for code16/sharp (Composer) Jul 8, 2026
baradika Credited to baradika
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE Critical
CVE-2026-52831 was published for github.com/nuclio/nuclio (Go) Jul 8, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests High
CVE-2026-50197 was published for github.com/zalando/skipper (Go) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Weblate SSRF: outbound URL guard misses some private ranges Moderate
CVE-2026-50127 was published for weblate (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot and nijel nijel nijel
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read) Moderate
CVE-2026-53508 was published for github.com/oasdiff/oasdiff (Go) Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping Moderate
CVE-2026-53572 was published for github.com/kedacore/keda/v2 (Go) Jul 7, 2026
mert2m Credited to mert2m
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion Moderate
GHSA-f66q-9rf6-8795 was published for Flask-Security-Too (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise High
CVE-2026-53553 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
What-canIsay Credited to What-canIsay
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers Critical
CVE-2026-53552 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path Moderate
GHSA-q855-8rh5-jfgq was published for ha-mcp (pip) Jul 7, 2026
bharat Credited to bharat
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address Moderate
CVE-2026-53533 was published for aiosmtplib (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Kite has an authenticated cluster RBAC bypass in /api/v1/overview Moderate
CVE-2026-53487 was published for github.com/zxh326/kite (Go) Jul 7, 2026
DavidCarliez Credited to DavidCarliez
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice) High
CVE-2026-53530 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers High
GHSA-j8v8-g9cx-5qf4 was published for @better-auth/scim (npm) Jul 7, 2026
Jvr2022 Credited to Jvr2022
ProTip! Advisories are also available from the GraphQL API