Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

509 advisories

Loading
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens Moderate
CVE-2026-55513 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
Apache Airflow: Auth manager doesn't invalidate JWT tokens after users click logout Moderate
CVE-2026-48726 was published for apache-airflow (pip) Jun 1, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
Casdoor doesn't enforce SAML assertion time bounds High
CVE-2026-9096 was published for github.com/casdoor/casdoor (Go) May 28, 2026
OpenClaw: Mattermost slash token revocation could lag until monitor refresh Moderate
GHSA-4m3v-q747-pc6h was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload Moderate
GHSA-275c-xpvc-jgfw was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
Keycloak has Insufficient Session Expiration Moderate
CVE-2026-9802 was published for org.keycloak:keycloak-services (Maven) May 28, 2026
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls Moderate
GHSA-4m82-p8cx-f94j was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan and addcontent addcontent addcontent
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES Moderate
CVE-2026-52809 was published for gogs.io/gogs (Go) Jun 23, 2026
bugbunny-research Credited to bugbunny-research
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens High
CVE-2026-49229 was published for @actual-app/sync-server (npm) Jun 22, 2026
pyuysig Credited to pyuysig and MatissJanis MatissJanis MatissJanis
ProTip! Advisories are also available from the GraphQL API