GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
509 advisories
Filter by severity
ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a...
Low
Unreviewed
CVE-2026-48329
was published
Jul 14, 2026
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens
Moderate
CVE-2026-55513
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Multiple connections to the backend using the same charging station ID
are allowed, which could...
High
Unreviewed
CVE-2026-44383
was published
Jul 11, 2026
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate
Moderate
CVE-2026-53602
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 9, 2026
Apache Airflow: Auth manager doesn't invalidate JWT tokens after users click logout
Moderate
CVE-2026-48726
was published
for
apache-airflow
(pip)
Jun 1, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Low
GHSA-2vg6-77g8-24mp
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.
The camel...
Critical
Unreviewed
CVE-2026-46455
was published
Jul 6, 2026
A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by...
Low
Unreviewed
CVE-2026-14725
was published
Jul 5, 2026
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to...
Moderate
Unreviewed
CVE-2022-34624
was published
Aug 20, 2022
Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)
High
GHSA-f9ff-5x35-7gfw
was published
for
@grackle-ai/auth
(npm)
Jul 2, 2026
Casdoor doesn't enforce SAML assertion time bounds
High
CVE-2026-9096
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
OpenClaw: Mattermost slash token revocation could lag until monitor refresh
Moderate
GHSA-4m3v-q747-pc6h
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload
Moderate
GHSA-275c-xpvc-jgfw
was published
for
openclaw
(npm)
Jul 2, 2026
Keycloak has Insufficient Session Expiration
Moderate
CVE-2026-9802
was published
for
org.keycloak:keycloak-services
(Maven)
May 28, 2026
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls
Moderate
GHSA-4m82-p8cx-f94j
was published
for
surrealdb
(Rust)
Jul 1, 2026
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after...
High
Unreviewed
CVE-2025-36359
was published
Jun 30, 2026
pyLoad's Session Not Invalidated After Permission Changes
Low
GHSA-fj52-5g4h-gmq8
was published
for
pyload-ng
(pip)
Apr 14, 2026
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a...
Moderate
Unreviewed
CVE-2026-9705
was published
Jun 25, 2026
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows...
Moderate
Unreviewed
CVE-2026-54479
was published
Jun 26, 2026
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions...
High
Unreviewed
CVE-2025-71335
was published
Jun 26, 2026
Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES
Moderate
CVE-2026-52809
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
High
CVE-2026-49229
was published
for
@actual-app/sync-server
(npm)
Jun 22, 2026
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17...
Moderate
Unreviewed
CVE-2026-9162
was published
Jun 22, 2026
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function...
Low
Unreviewed
CVE-2026-12796
was published
Jun 21, 2026
ProTip!
Advisories are also available from the
GraphQL API