Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
Decidim: Push subscriptions can be abused for server-side requests Moderate
CVE-2026-45573 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: HTML content blocks allow stored script execution Moderate
CVE-2026-45572 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: CSV census record endpoints improper authorization Moderate
CVE-2026-45415 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations High
CVE-2026-45414 was published for decidim (RubyGems) Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links High
CVE-2026-45378 was published for decidim-verifications (RubyGems) Jul 13, 2026
andreslucena Credited to andreslucena
Decidim: Private exports can be downloaded through reusable links Moderate
CVE-2026-45377 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting Moderate
CVE-2026-45376 was published for decidim-admin (RubyGems) Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations Moderate
CVE-2026-45330 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: Forms admin question editor lacks authorization Moderate
CVE-2026-45086 was published for decidim-demographics (RubyGems) Jul 13, 2026
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center Moderate
CVE-2025-32781 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
lesignals Credited to lesignals
GeoNode: Stored XSS to full account takeover Moderate
CVE-2024-27091 was published for geonode (pip) Jul 13, 2026
ImThatT Credited to ImThatT
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset High
GHSA-h4g2-xfmw-q2c9 was published for clauster (pip) Jul 10, 2026
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input Moderate
CVE-2026-54163 was published for secure_headers (RubyGems) Jul 10, 2026
tonghuaroot Credited to tonghuaroot
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content Critical
CVE-2026-50551 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
Yunkaiwjs Credited to Yunkaiwjs
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE Critical
CVE-2026-54159 was published for prestashop/ps_facetedsearch (Composer) Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() Critical
CVE-2026-54158 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment High
GHSA-g5r6-gv6m-f5jv was published for mcp-atlassian (pip) Jul 10, 2026
rainfantry Credited to rainfantry
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
SafeInstall agent guard shell parsing can miss raw package execution High
GHSA-xrmc-c5cg-rv7x was published for safeinstall-cli (npm) Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) High
GHSA-qv4m-m73m-8hj7 was published for notrinos/notrinos-erp (Composer) Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py High
CVE-2026-54071 was published for BabelDOC (pip) Jul 10, 2026
EQSTLab Credited to EQSTLab and awwaawwa awwaawwa awwaawwa
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
ProTip! Advisories are also available from the GraphQL API