GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,303
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,233 advisories
Filter by severity
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
High
CVE-2026-50141
was published
for
go.woodpecker-ci.org/woodpecker/v3
(Go)
Jul 14, 2026
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
Critical
CVE-2026-50006
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
High
CVE-2026-50131
was published
for
@fedify/fedify
(npm)
Jul 14, 2026
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
High
CVE-2026-50125
was published
for
github.com/StacklokLabs/mkp
(Go)
Jul 14, 2026
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions
Moderate
CVE-2026-50018
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
High
CVE-2026-50013
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Moderate
CVE-2026-54250
was published
for
github.com/k3s-io/k3s
(Go)
Jul 14, 2026
Wasmtime: Memory leak in C API with `externref` and `anyref` types
Low
CVE-2025-61670
was published
for
wasmtime-bin
(pip)
Jul 14, 2026
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export
High
CVE-2026-45263
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents
High
CVE-2026-45693
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`
Critical
CVE-2026-45262
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
High
CVE-2026-44300
was published
for
github.com/opencost/opencost
(Go)
Jul 14, 2026
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access
Moderate
CVE-2026-52828
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation
Moderate
CVE-2026-52826
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
Moderate
CVE-2026-52825
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
Critical
CVE-2026-52824
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
Moderate
CVE-2026-52823
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
Moderate
CVE-2026-52822
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
Moderate
CVE-2026-52821
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Moderate
CVE-2026-52820
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
Moderate
CVE-2026-52819
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
Moderate
CVE-2026-49992
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks
Moderate
GHSA-8f6j-263m-g72x
was published
for
app-store-server-library
(pip)
Jul 13, 2026
ProTip!
Advisories are also available from the
GraphQL API