Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,408 advisories

Loading
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
FacturaScripts: Account takeover of any 2FA-enabled user Critical
CVE-2026-47677 was published for facturascripts/facturascripts (Composer) Jul 13, 2026
janssensjelle Credited to janssensjelle
Apollo ConfigService access key authentication bypass via raw config file appId parsing High
CVE-2026-59955 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching High
CVE-2026-59954 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Decidim: JWT-backed authentication can be replayed across organizations High
CVE-2026-45414 was published for decidim (RubyGems) Jul 13, 2026
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to... Moderate Unreviewed
CVE-2026-15491 was published Jul 12, 2026
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for... Critical Unreviewed
CVE-2026-12761 was published Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion Moderate
GHSA-f66q-9rf6-8795 was published for Flask-Security-Too (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
ProTip! Advisories are also available from the GraphQL API