Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

446 advisories

Loading
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
yutu: Arbitrary File Write via MCP `caption-download` Tool High
CVE-2026-50158 was published for github.com/eat-pray-ai/yutu (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode Critical
CVE-2026-50006 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
psd-tools vulnerable to arbitrary file write via smart-object filename Moderate
CVE-2026-49836 was published for psd-tools (pip) Jul 9, 2026
seankohjs Credited to seankohjs and yueyueL yueyueL yueyueL
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths High
GHSA-52vm-mxx8-f227 was published for phantom-audio (pip) Jul 9, 2026
leesaenz Credited to leesaenz
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read) Moderate
CVE-2026-53508 was published for github.com/oasdiff/oasdiff (Go) Jul 7, 2026
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose Moderate
CVE-2026-45016 was published for egroupware/egroupware (Composer) Jul 7, 2026
smitocaru Credited to smitocaru
Mautic vulnerable to Path Traversal via Campaign Import Critical
CVE-2026-9559 was published for mautic/core (Composer) Jul 2, 2026
nglong05 Credited to nglong05, f3nrir77, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing f3nrir77 f3nrir77
escopecz escopecz patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
ProTip! Advisories are also available from the GraphQL API