GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,813 advisories
Filter by severity
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
High
CVE-2026-55075
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
High
CVE-2026-55076
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory
High
CVE-2026-54640
was published
for
io.openremote:openremote-agent
(Maven)
Jul 6, 2026
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
High
CVE-2026-54641
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
Langroid: handle_message() executes user-supplied tool JSON without sender verification
High
CVE-2026-54771
was published
for
langroid
(pip)
Jul 6, 2026
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../)
High
CVE-2026-35338
was published
for
uu_chmod
(Rust)
Jul 6, 2026
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`
High
CVE-2026-55786
was published
for
flyto-core
(pip)
Jul 6, 2026
flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf
High
CVE-2026-55787
was published
for
flyto-core
(pip)
Jul 6, 2026
Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)
High
GHSA-7jvp-hj45-2f2m
was published
for
Scriban
(NuGet)
Jul 6, 2026
Open Babel has out-of-bounds write in MOPAC translationVectors[] (UNIT CELL TRANSLATION)
High
CVE-2022-46292
was published
for
openbabel
(pip)
Jul 6, 2026
Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB
High
CVE-2026-49360
was published
for
recce
(pip)
Jul 2, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression
High
CVE-2026-46599
was published
for
golang.org/x/image
(Go)
Jul 2, 2026
SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`
High
CVE-2026-49284
was published
for
simplesamlphp/simplesamlphp
(Composer)
Jul 2, 2026
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
High
CVE-2026-52792
was published
for
github.com/xyproto/algernon
(Go)
Jul 2, 2026
jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow
High
CVE-2026-52834
was published
for
jxl-grid
(Rust)
Jul 2, 2026
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
High
CVE-2026-2092
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 2, 2026
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
High
CVE-2026-50200
was published
for
Steeltoe.Management.Endpoint
(NuGet)
Jul 2, 2026
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
High
CVE-2026-50196
was published
for
Steeltoe.Discovery.Eureka
(NuGet)
Jul 2, 2026
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
High
CVE-2026-50194
was published
for
Steeltoe.Management.Endpoint
(NuGet)
Jul 2, 2026
SimpleSAMLphp has Possible DoS via XPath Transform
High
CVE-2026-49289
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update
High
CVE-2026-52829
was published
for
zebra-network
(Rust)
Jul 2, 2026
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass
High
CVE-2026-49283
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
High
CVE-2026-52817
was published
for
linuxfabrik-lib
(pip)
Jul 2, 2026
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
High
GHSA-322x-v876-g883
was published
for
@asymmetric-effort/nogginlessdom
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API