Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,223 advisories

Loading
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
SafeInstall agent guard shell parsing can miss raw package execution High
GHSA-xrmc-c5cg-rv7x was published for safeinstall-cli (npm) Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) High
GHSA-qv4m-m73m-8hj7 was published for notrinos/notrinos-erp (Composer) Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py High
CVE-2026-54071 was published for BabelDOC (pip) Jul 10, 2026
EQSTLab Credited to EQSTLab and awwaawwa awwaawwa awwaawwa
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
`exploration` was removed from crates.io for malicious code Critical
GHSA-99j7-fhr2-xfj4 was published for exploration (Rust) Jul 10, 2026
Lechu69 Credited to Lechu69
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist Critical
CVE-2026-54069 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
oduoke567 Credited to oduoke567
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
0xmrma Credited to 0xmrma
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS) High
CVE-2026-54063 was published for github.com/xuri/excelize/v2 (Go) Jul 10, 2026
EQSTLab Credited to EQSTLab
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Critical
CVE-2026-54072 was published for github.com/authorizerdev/authorizer (Go) Jul 10, 2026
morimori-dev Credited to morimori-dev
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() Critical
CVE-2026-54067 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 High
CVE-2026-54066 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
aslein1413-sys Credited to aslein1413-sys
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826) Moderate
GHSA-489g-7rxv-6c8q was published for mcp-atlassian (pip) Jul 10, 2026
daniel-mertz Credited to daniel-mertz
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies Moderate
CVE-2026-49977 was published for tarteaucitronjs (npm) Jul 10, 2026
Rudloff Credited to Rudloff
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays High
CVE-2026-49866 was published for @libp2p/gossipsub (npm) Jul 10, 2026
tahaafarooq Credited to tahaafarooq
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs Moderate
CVE-2026-49865 was published for kimai/kimai (Composer) Jul 10, 2026
Mitchell45 Credited to Mitchell45
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
tillmon Credited to tillmon and soyuka soyuka soyuka
Tesla vulnerable to multipart part smuggling via unescaped `content-disposition` values Low
CVE-2026-48598 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla vulnerable to atom exhaustion via untrusted URL scheme High
CVE-2026-48597 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering High
CVE-2026-48595 was published for tesla (Erlang) Jul 10, 2026
PJUllrich Credited to PJUllrich, yordis, and maennchen yordis yordis
maennchen maennchen
ProTip! Advisories are also available from the GraphQL API