Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,233 advisories

Loading
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation High
CVE-2026-50141 was published for go.woodpecker-ci.org/woodpecker/v3 (Go) Jul 14, 2026
shivamkumarcyber Credited to shivamkumarcyber
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode Critical
CVE-2026-50006 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
chaitanyagarware Credited to chaitanyagarware
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion High
CVE-2026-50125 was published for github.com/StacklokLabs/mkp (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions Moderate
CVE-2026-50018 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode High
CVE-2026-50013 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression Moderate
CVE-2026-54250 was published for github.com/k3s-io/k3s (Go) Jul 14, 2026
f1veT Credited to f1veT
Wasmtime: Memory leak in C API with `externref` and `anyref` types Low
CVE-2025-61670 was published for wasmtime-bin (pip) Jul 14, 2026
alexcrichton Credited to alexcrichton
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents High
CVE-2026-45693 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
5kr1pt Credited to 5kr1pt
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn` Critical
CVE-2026-45262 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
offset Credited to offset
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection High
CVE-2026-44300 was published for github.com/opencost/opencost (Go) Jul 14, 2026
b0b0haha Credited to b0b0haha
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access Moderate
CVE-2026-52828 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover Critical
CVE-2026-52824 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes Moderate
CVE-2026-52823 was published for kimai/kimai (Composer) Jul 14, 2026
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass Moderate
CVE-2026-52820 was published for kimai/kimai (Composer) Jul 13, 2026
offset Credited to offset
offset Credited to offset
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes Moderate
CVE-2026-49992 was published for kimai/kimai (Composer) Jul 13, 2026
Mitchell45 Credited to Mitchell45
0xmrma Credited to 0xmrma
ProTip! Advisories are also available from the GraphQL API