Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
chdanielmueller Credited to chdanielmueller
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
subhanUmer Credited to subhanUmer
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp High
GHSA-86j7-9j95-vpqj was published for better-auth (npm) Jul 7, 2026
hillalee Credited to hillalee
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators Moderate
GHSA-p2fr-6hmx-4528 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
dvanmali Credited to dvanmali
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
netfoil: Attacker controlled data written to logs Low
GHSA-7856-g3gv-9wq8 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a resource leak in LRU cache Low
GHSA-3g4q-2f67-2gvh was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a domain name filter bypass via multiple questions Moderate
GHSA-59qp-cfj3-rp64 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060) Moderate
CVE-2026-53509 was published for @aborruso/ckan-mcp-server (npm) Jul 7, 2026
hibrian827 Credited to hibrian827
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality Moderate
CVE-2026-34225 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages High
CVE-2026-26193 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI vulnerable to Stored XSS via iFrame in citations model High
CVE-2026-26192 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI allows limited stored XSS vila uploaded html file Moderate
CVE-2025-46571 was published for open-webui (pip) Jul 7, 2026
choket Credited to choket
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose Moderate
CVE-2026-45016 was published for egroupware/egroupware (Composer) Jul 7, 2026
smitocaru Credited to smitocaru
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs) Moderate
CVE-2026-44512 was published for onnx (pip) Jul 7, 2026
MinicoAI Credited to MinicoAI
New API is vulnerable to CSRF through user email binding Moderate
CVE-2026-44342 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
kyo-w Credited to kyo-w
EGroupware has Authenticated RCE via Malicious eTemplate Upload High
CVE-2026-40187 was published for egroupware/egroupware (Composer) Jul 7, 2026
dapickle Credited to dapickle
XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+ High
CVE-2026-34151 was published for org.xwiki.platform:xwiki-platform-oldcore (Maven) Jul 7, 2026
khoaln98 Credited to khoaln98
ProTip! Advisories are also available from the GraphQL API