Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,317 advisories

Loading
HamdaanAliQuatil Credited to HamdaanAliQuatil and jasonsaayman jasonsaayman jasonsaayman
golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement Critical
CVE-2026-46595 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys Critical
CVE-2026-39832 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status Critical
CVE-2026-42508 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow Moderate
CVE-2026-39835 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses Critical
CVE-2026-39830 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS High
CVE-2026-39829 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions Moderate
CVE-2026-39828 was published for golang.org/x/crypto (Go) Jun 25, 2026
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components High
CVE-2026-44827 was published for diffusers (pip) May 7, 2026 withdrawn
zafido Credited to zafido
container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command Low
GHSA-39g5-644c-qwcg was published for github.com/apple/container (Swift) May 7, 2026
XlabAITeam Credited to XlabAITeam, 0xmrma, keenanwgn, and A7um 0xmrma 0xmrma
keenanwgn keenanwgn A7um A7um
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator Critical
CVE-2026-47156 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay, dregad, tyage, voraci0us, chndlrx, and bharatdevasani dregad dregad
tyage tyage voraci0us voraci0us chndlrx chndlrx bharatdevasani bharatdevasani
ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation) Low
CVE-2026-58196 was published for github.com/stacklok/toolhive (Go) Jul 15, 2026
bIackr0se Credited to bIackr0se, jhrozek, JAORMX, ChrisJBurns, and rdimitrov jhrozek jhrozek
JAORMX JAORMX ChrisJBurns ChrisJBurns rdimitrov rdimitrov
bytedance InfiniStore: Denial of Service via Non-Cryptographic Hashing in InfiniStore KV Map Low
CVE-2026-11312 was published for infinistore (pip) Jun 5, 2026
adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files Moderate
GHSA-xg43-5579-qw6v was published for adawolfa/isdoc (Composer) Jul 15, 2026
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default High
CVE-2026-54504 was published for @andrea9293/mcp-documentation-server (npm) Jul 15, 2026
tonghuaroot Credited to tonghuaroot
Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback High
CVE-2026-50285 was published for github.com/pomerium/pomerium (Go) Jul 15, 2026
bugbunny-research Credited to bugbunny-research
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50276 was published for datadog (RubyGems) Jul 15, 2026
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50274 was published for github.com/DataDog/dd-trace-go (Go) Jul 15, 2026
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50273 was published for Datadog.Trace (NuGet) Jul 15, 2026
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50272 was published for dd-trace (npm) Jul 15, 2026
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50271 was published for ddtrace (pip) Jul 15, 2026
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50270 was published for com.datadoghq:dd-java-agent (Maven) Jul 15, 2026
ViewComponent: Reused Component Instances Retain Stale Render Context Moderate
CVE-2026-54497 was published for view_component (RubyGems) Jul 15, 2026
cyberlanc3r Credited to cyberlanc3r
ProTip! Advisories are also available from the GraphQL API