Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
tarryGrain0 Credited to tarryGrain0 and Paul-Bob Paul-Bob Paul-Bob
laravel-backup-restore has an OS Command Injection during database restore High
CVE-2026-53932 was published for wnx/laravel-backup-restore (Composer) Jul 9, 2026
YHalo-wyh Credited to YHalo-wyh
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data Moderate
GHSA-382c-vx95-w3p5 was published for @jsonbored/gittensory-mcp (npm) Jul 9, 2026
homanp Credited to homanp
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests Moderate
CVE-2026-53760 was published for admidio/admidio (Composer) Jul 9, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview High
GHSA-86vw-x4ww-x467 was published for craftcms/cms (Composer) Jul 9, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read Low
GHSA-c43v-4cr8-6mvp was published for craftcms/cms (Composer) Jul 9, 2026
GCXWLP Credited to GCXWLP
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` High
CVE-2026-53727 was published for css_parser (RubyGems) Jul 9, 2026
JLLeitschuh Credited to JLLeitschuh
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-49485 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) Jul 9, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small Moderate
CVE-2026-53720 was published for pymonocypher (pip) Jul 9, 2026
hextheshadow Credited to hextheshadow
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p) High
CVE-2026-50553 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
tonghuaroot Credited to tonghuaroot, Yunkaiwjs, and enchant97 Yunkaiwjs Yunkaiwjs
enchant97 enchant97
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books Moderate
CVE-2026-50554 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
Yunkaiwjs Credited to Yunkaiwjs and enchant97 enchant97 enchant97
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser High
CVE-2026-49477 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists High
CVE-2026-49476 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths High
GHSA-52vm-mxx8-f227 was published for phantom-audio (pip) Jul 9, 2026
leesaenz Credited to leesaenz
Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers Moderate
GHSA-q6gh-6v2r-hjv3 was published for io.micronaut:micronaut-http-client (Maven) Jul 9, 2026
sdelamo Credited to sdelamo
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS High
GHSA-387m-935m-c4vw was published for io.micronaut:micronaut-http-client (Maven) Jul 9, 2026
sdelamo Credited to sdelamo
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager Moderate
CVE-2026-48987 was published for pyload-ng (pip) Jul 9, 2026
pevinkumar10 Credited to pevinkumar10
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs Moderate
CVE-2026-48737 was published for pyload-ng (pip) Jul 9, 2026
tonghuaroot Credited to tonghuaroot
Goh3st Credited to Goh3st
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak High
CVE-2026-49464 was published for nl.nl-portal:taak (Maven) Jul 8, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries Moderate
CVE-2026-49463 was published for nl.nl-portal:besluiten (Maven) Jul 8, 2026
Waku has an Open Redirect via `unstable_redirect` Helper Low
CVE-2026-49456 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Waku: Cross-Origin CSRF on RSC Server Action Dispatch Moderate
CVE-2026-49455 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE Critical
CVE-2026-53649 was published for github.com/BishopFox/joro (Go) Jul 8, 2026
stover-BF Credited to stover-BF
ProTip! Advisories are also available from the GraphQL API