Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
psd-tools vulnerable to arbitrary file write via smart-object filename Moderate
CVE-2026-49836 was published for psd-tools (pip) Jul 9, 2026
seankohjs Credited to seankohjs and yueyueL yueyueL yueyueL
sigstore-go has a multi-log threshold bypass via single compromised log Moderate
CVE-2026-49834 was published for github.com/sigstore/sigstore-go (Go) Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect Moderate
CVE-2026-55252 was published for github.com/openrundev/openrun (Go) Jul 9, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
mint: Unbounded streams map growth via PUSH_PROMISE without follow-up HEADERS High
CVE-2026-48862 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, ericmj, and maennchen ericmj ericmj
maennchen maennchen
mint: Unbounded CONTINUATION/HEADERS frame accumulation (CONTINUATION flood) High
CVE-2026-49754 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, ericmj, and maennchen ericmj ericmj
maennchen maennchen
mint: Content-Length header accepts non-RFC "+" sign prefix Moderate
CVE-2026-49753 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, ericmj, and maennchen ericmj ericmj
maennchen maennchen
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target` Low
CVE-2026-48861 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, maennchen, and ericmj maennchen maennchen
ericmj ericmj
pypdf: Possible infinite loop when processing threads/articles in writer Moderate
CVE-2026-54651 was published for pypdf (pip) Jul 9, 2026
k0w4lzk1 Credited to k0w4lzk1 and stefan6419846 stefan6419846 stefan6419846
Sylius: IDOR on Shop Payment Request API endpoints Moderate
CVE-2026-53639 was published for sylius/sylius (Composer) Jul 9, 2026
baradika Credited to baradika
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint Moderate
CVE-2026-53638 was published for sylius/sylius (Composer) Jul 9, 2026
FredrikEV Credited to FredrikEV
Sylius: Cart FormComponent allows modification or deletion of an already-completed order Moderate
CVE-2026-53637 was published for sylius/sylius (Composer) Jul 9, 2026
kgonella Credited to kgonella
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki has Authenticated SQL Injection via ReactionManager High
CVE-2026-52775 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes Moderate
CVE-2026-52774 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php` Moderate
CVE-2026-52773 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) Moderate
CVE-2026-52772 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
offset Credited to offset
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) High
CVE-2026-52771 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters High
CVE-2026-52770 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
sondt99 Credited to sondt99
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` High
CVE-2026-52769 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read Moderate
CVE-2026-52763 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
hash3liZer Credited to hash3liZer and eros938 eros938 eros938
ProTip! Advisories are also available from the GraphQL API