Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,279 advisories

Loading
MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters Moderate
CVE-2026-52882 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
dregad Credited to dregad
MantisBT: Reflected XSS in admin/install.php via unescaped printf Critical
CVE-2026-52881 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
MantisBT: Reflected XSS in admin/install.php Critical
CVE-2026-52847 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail Moderate
CVE-2026-50552 was published for phanan/koel (Composer) Jul 15, 2026
Yunkaiwjs Credited to Yunkaiwjs
Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths High
CVE-2026-54491 was published for phanan/koel (Composer) Jul 15, 2026
kiffa-australis256 Credited to kiffa-australis256
Protobuf: Unbounded recursion depth in embedded-message decoding High
CVE-2026-54451 was published for protobuf (Erlang) Jul 15, 2026
PJUllrich Credited to PJUllrich and whatyouhide whatyouhide whatyouhide
LangBot: Authenticated RCE Via MCP Configuration High
CVE-2026-54449 was published for langbot (pip) Jul 15, 2026
MosesOX Credited to MosesOX
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store High
CVE-2026-54447 was published for garminconnect (pip) Jul 15, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
Koel has SSRF through Authenticated Subsonic podcast feed URLs Moderate
GHSA-8q6q-m837-fv64 was published for phanan/koel (Composer) Jul 15, 2026
DavidCarliez Credited to DavidCarliez
Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations High
CVE-2026-54493 was published for phanan/koel (Composer) Jul 15, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga
Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation Moderate
CVE-2026-54492 was published for phanan/koel (Composer) Jul 15, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga
MantisBT: REST API unauthorized Issue status change Moderate
CVE-2026-49280 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
dregad Credited to dregad and mamdouhmahfouz mamdouhmahfouz mamdouhmahfouz
MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php High
CVE-2026-49273 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator Critical
CVE-2026-47156 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay, dregad, tyage, voraci0us, and chndlrx dregad dregad
tyage tyage voraci0us voraci0us chndlrx chndlrx
MantisBT: SQL Injection via history_order Configuration Value High
CVE-2026-47142 was published for mantisbt/mantisbt (Composer) Jul 15, 2026
McCaulay Credited to McCaulay and dregad dregad dregad
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE Critical
GHSA-hgjx-r89m-m7v4 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
aslein1413-sys Credited to aslein1413-sys
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode High
CVE-2026-54446 was published for netlicensing-mcp (pip) Jul 14, 2026
EQSTLab Credited to EQSTLab
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend High
CVE-2026-61549 was published for github.com/woodpecker-ci/woodpecker (Go) Jul 14, 2026
AnuragBathani Credited to AnuragBathani
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private` High
GHSA-7rx3-5wx3-5v76 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
adamyordan Credited to adamyordan
nebula-mesh: Certificate revocation is never enforced at the mesh High
CVE-2026-61699 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Pig-Tail Credited to Pig-Tail
DavidCarliez Credited to DavidCarliez
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens Moderate
CVE-2026-55513 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting Moderate
CVE-2026-55512 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
ProTip! Advisories are also available from the GraphQL API