Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

509 advisories

Loading
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens Moderate
CVE-2026-55513 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
OpenClaw: Mattermost slash token revocation could lag until monitor refresh Moderate
GHSA-4m3v-q747-pc6h was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload Moderate
GHSA-275c-xpvc-jgfw was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls Moderate
GHSA-4m82-p8cx-f94j was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan and addcontent addcontent addcontent
Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES Moderate
CVE-2026-52809 was published for gogs.io/gogs (Go) Jun 23, 2026
bugbunny-research Credited to bugbunny-research
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens High
CVE-2026-49229 was published for @actual-app/sync-server (npm) Jun 22, 2026
pyuysig Credited to pyuysig and MatissJanis MatissJanis MatissJanis
Langflow: Logout button does not clear session Moderate
CVE-2026-55423 was published for langflow (pip) Jun 19, 2026
iann0036 Credited to iann0036, Cristhianzl, AntonioABLima, and andifilhohub Cristhianzl Cristhianzl
AntonioABLima AntonioABLima andifilhohub andifilhohub
CoreWCF: SAML token replay protection is inoperative Moderate
CVE-2026-54779 was published for CoreWCF.Primitives (NuGet) Jun 19, 2026
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider Moderate
GHSA-wxg7-w2v3-w38g was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, livio-a, and IAM-marco livio-a livio-a
IAM-marco IAM-marco
Hydro: Insufficient session expiration when recreating sessions Moderate
CVE-2026-55617 was published for hydrooj (npm) Jun 18, 2026
renbaoshuo Credited to renbaoshuo
ProTip! Advisories are also available from the GraphQL API