Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
75
GitHub Actions
54
Go
4,152
Maven
5,000+
npm
5,000+
NuGet
1,017
pip
5,000+
Pub
13
RubyGems
1,101
Rust
1,419
Swift
61
Unreviewed advisories
All unreviewed
5,000+

32,461 advisories

Loading
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call High
CVE-2026-49291 was published for mcp-memory-service (pip) Jun 26, 2026
DavidCarliez Credited to DavidCarliez
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers Moderate
GHSA-75mw-h36v-2jv7 was published for dosage (pip) Jun 26, 2026
yueyueL Credited to yueyueL
Scriban: ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p) Moderate
GHSA-6q7j-xr26-3h2c was published for Scriban (NuGet) Jun 26, 2026
MindflareX Credited to MindflareX
Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx Moderate
GHSA-q6rr-fm2g-g5x8 was published for Scriban (NuGet) Jun 26, 2026
MindflareX Credited to MindflareX
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction Low
GHSA-v2jf-442r-6mjh was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs Moderate
GHSA-q683-8468-r6h6 was published for web-auth/webauthn-symfony-bundle (Composer) Jun 26, 2026
CakePHP: View::element() is missing a path containment check Moderate
CVE-2026-48820 was published for cakephp/cakephp (Composer) Jun 26, 2026
z3moo Credited to z3moo, get-wright, markstory, and dereuromark get-wright get-wright
markstory markstory dereuromark dereuromark
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server High
GHSA-3p34-w4f6-5xh2 was published for better-helperjs (npm) Jun 26, 2026
TurboRigby Credited to TurboRigby
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key High
GHSA-fhp4-pr5j-46m5 was published for muhammara (npm) Jun 26, 2026
r3d5t0x3 Credited to r3d5t0x3
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system Moderate
GHSA-j7f5-gfqm-pcx3 was published for pterodactyl/panel (Composer) Jun 26, 2026
CybranceeHosting Credited to CybranceeHosting, YoloFTW, and TheCyberDesk YoloFTW YoloFTW
TheCyberDesk TheCyberDesk
Pterodactyl Wings: Chmod operation can be used to change permissions of files outside of the server container Moderate
GHSA-rhq6-9rgh-v45c was published for github.com/pterodactyl/wings (Go) Jun 26, 2026
Vz0n Credited to Vz0n
Flawfinder output manipulation via untrusted filenames and source text Low
CVE-2026-48813 was published for flawfinder (pip) Jun 26, 2026
python-socketio: Binary attachment accumulation can cause denial of service High
CVE-2026-48804 was published for python-socketio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
python-engineio has unbound thread allocation that can cause denial of service High
CVE-2026-48802 was published for python-engineio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin Critical
GHSA-98x5-vq43-vc5p was published for semantic-router (pip) Jun 26, 2026
jamescalam Credited to jamescalam
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced High
CVE-2026-48809 was published for python-engineio (pip) Jun 26, 2026
LinkifyIt#match scan loop has quadratic algorithmic complexity High
CVE-2026-48801 was published for linkify-it (npm) Jun 26, 2026
hillalee Credited to hillalee
turso-cli persists Turso platform JWT with world-readable (0o644) file permissions Moderate
CVE-2026-48790 was published for github.com/tursodatabase/turso-cli (Go) Jun 26, 2026
nono-py's policy JSON accepts unknown security fields Moderate
GHSA-m8j6-rc5x-wv36 was published for nono-py (pip) Jun 26, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database