GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,282 advisories
Filter by severity
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting
Moderate
CVE-2026-55512
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54629
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
nebula-mesh: Operator session tokens stored in plaintext in the database
High
CVE-2026-53603
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder
High
CVE-2026-44891
was published
for
io.netty:netty-codec-stomp
(Maven)
Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
High
CVE-2026-53604
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54628
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Umbraco.AI discloses sensitive application configuration values
Moderate
GHSA-q3v2-xj35-9grx
was published
for
Umbraco.AI
(NuGet)
Jul 14, 2026
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware
High
GHSA-mqxv-9rm6-w8qc
was published
for
github.com/lin-snow/ech0
(Go)
Jul 14, 2026
TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import — Tiddler Startup Module Auto-Execution
Critical
GHSA-9hc2-hjx8-q6pv
was published
for
tidgi
(npm)
Jul 14, 2026
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
High
CVE-2026-54448
was published
for
github.com/aquasecurity/trivy
(Go)
Jul 14, 2026
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
High
CVE-2026-54087
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
High
GHSA-pqg7-v6wh-3pfp
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 14, 2026
Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__
Low
CVE-2026-54335
was published
for
@feathersjs/commons
(npm)
Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool
High
CVE-2026-50158
was published
for
github.com/eat-pray-ai/yutu
(Go)
Jul 14, 2026
Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter
Moderate
CVE-2026-50157
was published
for
auth0/symfony
(Composer)
Jul 14, 2026
n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments
Critical
CVE-2026-54052
was published
for
n8n-mcp
(npm)
Jul 14, 2026
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
High
CVE-2026-50141
was published
for
go.woodpecker-ci.org/woodpecker/v3
(Go)
Jul 14, 2026
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
Critical
CVE-2026-50006
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
High
CVE-2026-50131
was published
for
@fedify/fedify
(npm)
Jul 14, 2026
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
High
CVE-2026-50125
was published
for
github.com/StacklokLabs/mkp
(Go)
Jul 14, 2026
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions
Moderate
CVE-2026-50018
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
High
CVE-2026-50013
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Moderate
CVE-2026-54250
was published
for
github.com/k3s-io/k3s
(Go)
Jul 14, 2026
Wasmtime: Memory leak in C API with `externref` and `anyref` types
Low
CVE-2025-61670
was published
for
wasmtime-bin
(pip)
Jul 14, 2026
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
ProTip!
Advisories are also available from the
GraphQL API