GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
Avo: Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy
Moderate
CVE-2026-53769
was published
for
avo
(RubyGems)
Jul 9, 2026
laravel-backup-restore has an OS Command Injection during database restore
High
CVE-2026-53932
was published
for
wnx/laravel-backup-restore
(Composer)
Jul 9, 2026
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate
Moderate
CVE-2026-53602
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 9, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Moderate
GHSA-382c-vx95-w3p5
was published
for
@jsonbored/gittensory-mcp
(npm)
Jul 9, 2026
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests
Moderate
CVE-2026-53760
was published
for
admidio/admidio
(Composer)
Jul 9, 2026
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
High
GHSA-86vw-x4ww-x467
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`
High
CVE-2026-53727
was published
for
css_parser
(RubyGems)
Jul 9, 2026
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
High
CVE-2026-49485
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
(Maven)
Jul 9, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Moderate
CVE-2026-53720
was published
for
pymonocypher
(pip)
Jul 9, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
High
CVE-2026-50553
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books
Moderate
CVE-2026-50554
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
High
CVE-2026-49477
was published
for
soupsieve
(pip)
Jul 9, 2026
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists
High
CVE-2026-49476
was published
for
soupsieve
(pip)
Jul 9, 2026
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
High
GHSA-52vm-mxx8-f227
was published
for
phantom-audio
(pip)
Jul 9, 2026
Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers
Moderate
GHSA-q6gh-6v2r-hjv3
was published
for
io.micronaut:micronaut-http-client
(Maven)
Jul 9, 2026
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS
High
GHSA-387m-935m-c4vw
was published
for
io.micronaut:micronaut-http-client
(Maven)
Jul 9, 2026
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Moderate
CVE-2026-48987
was published
for
pyload-ng
(pip)
Jul 9, 2026
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs
Moderate
CVE-2026-48737
was published
for
pyload-ng
(pip)
Jul 9, 2026
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
High
CVE-2026-49471
was published
for
serena-agent
(pip)
Jul 8, 2026
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak
High
CVE-2026-49464
was published
for
nl.nl-portal:taak
(Maven)
Jul 8, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries
Moderate
CVE-2026-49463
was published
for
nl.nl-portal:besluiten
(Maven)
Jul 8, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Moderate
CVE-2026-49455
was published
for
waku
(npm)
Jul 8, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
ProTip!
Advisories are also available from the
GraphQL API