Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

10,823 advisories

Loading
Craft CMS: Sensitive File Disclosure / Server-Side File Read Moderate
CVE-2026-55792 was published for craftcms/cms (Composer) Jul 6, 2026
smakarim Credited to smakarim
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Susen2 Credited to Susen2
LaunchServer FileServerHandler has an unauthenticated path traversal issue Critical
CVE-2026-54617 was published for pro.gravit.launcher:launchserver-api (Maven) Jul 2, 2026
getclaude Credited to getclaude
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords High
CVE-2026-50200 was published for Steeltoe.Management.Endpoint (NuGet) Jul 2, 2026
nimonian Credited to nimonian
Froxlor: Authenticated customers can read other customers' allowed sender aliases Moderate
GHSA-mr9h-45p9-fg8h was published for froxlor/froxlor (Composer) Jul 2, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion High
GHSA-mhq8-78pj-5j79 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority High
CVE-2026-53814 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Message read actions could skip channel allowlist checks High
CVE-2026-53815 was published for openclaw (npm) Jul 2, 2026
samchodev Credited to samchodev
OpenClaw MCP SSE redirects could forward Authorization headers Moderate
GHSA-9c3v-684m-579c was published for openclaw (npm) Jul 1, 2026
dingliweixlm-byte Credited to dingliweixlm-byte
ORAS Go forwards registry credentials across registry redirects Moderate
GHSA-vh4v-2xq2-g5cg was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
mosskappa Credited to mosskappa
SurrealDB: Graph traversal bypasses table SELECT permissions Moderate
GHSA-vjjx-rfw4-rmfc was published for surrealdb (Rust) Jul 1, 2026
repomix: attach_packed_output can bypass file-read secret scanning for supported local files Moderate
CVE-2026-49988 was published for repomix (npm) Jul 1, 2026
dodge1218 Credited to dodge1218
ProTip! Advisories are also available from the GraphQL API