Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,282 advisories

Loading
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting Moderate
CVE-2026-55512 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
nebula-mesh: Operator session tokens stored in plaintext in the database High
CVE-2026-53603 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder High
CVE-2026-44891 was published for io.netty:netty-codec-stomp (Maven) Jul 14, 2026
violetagg Credited to violetagg
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths High
CVE-2026-53604 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54628 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
Umbraco.AI discloses sensitive application configuration values Moderate
GHSA-q3v2-xj35-9grx was published for Umbraco.AI (NuGet) Jul 14, 2026
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware High
GHSA-mqxv-9rm6-w8qc was published for github.com/lin-snow/ech0 (Go) Jul 14, 2026
tonghuaroot Credited to tonghuaroot
nuiifornet Credited to nuiifornet
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser High
CVE-2026-54448 was published for github.com/aquasecurity/trivy (Go) Jul 14, 2026
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField High
CVE-2026-54087 was published for easycorp/easyadmin-bundle (Composer) Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services High
GHSA-pqg7-v6wh-3pfp was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 14, 2026
Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__ Low
CVE-2026-54335 was published for @feathersjs/commons (npm) Jul 14, 2026
ridingsa Credited to ridingsa
yutu: Arbitrary File Write via MCP `caption-download` Tool High
CVE-2026-50158 was published for github.com/eat-pray-ai/yutu (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter Moderate
CVE-2026-50157 was published for auth0/symfony (Composer) Jul 14, 2026
n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments Critical
CVE-2026-54052 was published for n8n-mcp (npm) Jul 14, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation High
CVE-2026-50141 was published for go.woodpecker-ci.org/woodpecker/v3 (Go) Jul 14, 2026
shivamkumarcyber Credited to shivamkumarcyber
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode Critical
CVE-2026-50006 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
chaitanyagarware Credited to chaitanyagarware
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion High
CVE-2026-50125 was published for github.com/StacklokLabs/mkp (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions Moderate
CVE-2026-50018 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode High
CVE-2026-50013 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression Moderate
CVE-2026-54250 was published for github.com/k3s-io/k3s (Go) Jul 14, 2026
f1veT Credited to f1veT
Wasmtime: Memory leak in C API with `externref` and `anyref` types Low
CVE-2025-61670 was published for wasmtime-bin (pip) Jul 14, 2026
alexcrichton Credited to alexcrichton
ProTip! Advisories are also available from the GraphQL API