GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Low
GHSA-2vg6-77g8-24mp
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
High
GHSA-9h47-pqcx-hjr4
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
High
GHSA-86j7-9j95-vpqj
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
High
CVE-2026-53516
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
High
CVE-2026-53514
was published
for
better-auth
(npm)
Jul 7, 2026
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
Moderate
GHSA-p2fr-6hmx-4528
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
netfoil: Attacker controlled data written to logs
Low
GHSA-7856-g3gv-9wq8
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a resource leak in LRU cache
Low
GHSA-3g4q-2f67-2gvh
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a domain name filter bypass via multiple questions
Moderate
GHSA-59qp-cfj3-rp64
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
uutils coreutils: cp/install/mv/ln --suffix alone does not enable backup mode (silent data loss vs GNU)
High
GHSA-fqf6-gxhh-2xhw
was published
for
uucore
(Rust)
Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
Moderate
CVE-2026-53509
was published
for
@aborruso/ckan-mcp-server
(npm)
Jul 7, 2026
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality
Moderate
CVE-2026-34225
was published
for
open-webui
(pip)
Jul 7, 2026
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages
High
CVE-2026-26193
was published
for
open-webui
(pip)
Jul 7, 2026
Open WebUI vulnerable to Stored XSS via iFrame in citations model
High
CVE-2026-26192
was published
for
open-webui
(pip)
Jul 7, 2026
Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions
High
CVE-2025-46719
was published
for
open-webui
(pip)
Jul 7, 2026
Open WebUI allows limited stored XSS vila uploaded html file
Moderate
CVE-2025-46571
was published
for
open-webui
(pip)
Jul 7, 2026
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose
Moderate
CVE-2026-45016
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)
Moderate
CVE-2026-44512
was published
for
onnx
(pip)
Jul 7, 2026
New API is vulnerable to CSRF through user email binding
Moderate
CVE-2026-44342
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
EGroupware has Authenticated RCE via Malicious eTemplate Upload
High
CVE-2026-40187
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+
High
CVE-2026-34151
was published
for
org.xwiki.platform:xwiki-platform-oldcore
(Maven)
Jul 7, 2026
ProTip!
Advisories are also available from the
GraphQL API