Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,813 advisories

Loading
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass High
CVE-2026-55075 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking High
CVE-2026-55076 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
dyingman1 Credited to dyingman1
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl High
CVE-2026-54641 was published for io.openremote:openremote-manager (Maven) Jul 6, 2026
geo-chen Credited to geo-chen
Langroid: handle_message() executes user-supplied tool JSON without sender verification High
CVE-2026-54771 was published for langroid (pip) Jul 6, 2026
u-ktdi Credited to u-ktdi
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../) High
CVE-2026-35338 was published for uu_chmod (Rust) Jul 6, 2026
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module` High
CVE-2026-55786 was published for flyto-core (pip) Jul 6, 2026
EQSTLab Credited to EQSTLab
tonghuaroot Credited to tonghuaroot
Open Babel has out-of-bounds write in MOPAC translationVectors[] (UNIT CELL TRANSLATION) High
CVE-2022-46292 was published for openbabel (pip) Jul 6, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression High
CVE-2026-46599 was published for golang.org/x/image (Go) Jul 2, 2026
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename High
CVE-2026-52792 was published for github.com/xyproto/algernon (Go) Jul 2, 2026
Dredsen Credited to Dredsen
jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow High
CVE-2026-52834 was published for jxl-grid (Rust) Jul 2, 2026
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions High
CVE-2026-2092 was published for org.keycloak:keycloak-services (Maven) Jul 2, 2026
1seal Credited to 1seal
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords High
CVE-2026-50200 was published for Steeltoe.Management.Endpoint (NuGet) Jul 2, 2026
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch High
CVE-2026-50196 was published for Steeltoe.Discovery.Eureka (NuGet) Jul 2, 2026
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header High
CVE-2026-50194 was published for Steeltoe.Management.Endpoint (NuGet) Jul 2, 2026
SimpleSAMLphp has Possible DoS via XPath Transform High
CVE-2026-49289 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
ahacker1-securesaml Credited to ahacker1-securesaml
Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update High
CVE-2026-52829 was published for zebra-network (Rust) Jul 2, 2026
Haxatron Credited to Haxatron, oxarbitrage, and mpguerra oxarbitrage oxarbitrage
mpguerra mpguerra
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass High
CVE-2026-49283 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
kamil-sawicki Credited to kamil-sawicki
OoYo0uto Credited to OoYo0uto
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write High
GHSA-322x-v876-g883 was published for @asymmetric-effort/nogginlessdom (npm) Jul 2, 2026
ProTip! Advisories are also available from the GraphQL API