Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,431 advisories

Loading
Craft CMS: Sensitive File Disclosure / Server-Side File Read Moderate
CVE-2026-55792 was published for craftcms/cms (Composer) Jul 6, 2026
smakarim Credited to smakarim
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Susen2 Credited to Susen2
LaunchServer FileServerHandler has an unauthenticated path traversal issue Critical
CVE-2026-54617 was published for pro.gravit.launcher:launchserver-api (Maven) Jul 2, 2026
getclaude Credited to getclaude
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords High
CVE-2026-50200 was published for Steeltoe.Management.Endpoint (NuGet) Jul 2, 2026
nimonian Credited to nimonian
Froxlor: Authenticated customers can read other customers' allowed sender aliases Moderate
GHSA-mr9h-45p9-fg8h was published for froxlor/froxlor (Composer) Jul 2, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion High
GHSA-mhq8-78pj-5j79 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority High
CVE-2026-53814 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Message read actions could skip channel allowlist checks High
CVE-2026-53815 was published for openclaw (npm) Jul 2, 2026
samchodev Credited to samchodev
OpenClaw MCP SSE redirects could forward Authorization headers Moderate
GHSA-9c3v-684m-579c was published for openclaw (npm) Jul 1, 2026
dingliweixlm-byte Credited to dingliweixlm-byte
ORAS Go forwards registry credentials across registry redirects Moderate
GHSA-vh4v-2xq2-g5cg was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
mosskappa Credited to mosskappa
SurrealDB: Graph traversal bypasses table SELECT permissions Moderate
GHSA-vjjx-rfw4-rmfc was published for surrealdb (Rust) Jul 1, 2026
repomix: attach_packed_output can bypass file-read secret scanning for supported local files Moderate
CVE-2026-49988 was published for repomix (npm) Jul 1, 2026
dodge1218 Credited to dodge1218
@sveltejs/kit: `query.batch` cross-talk Moderate
GHSA-hgv7-v322-mmgr was published for @sveltejs/kit (npm) May 21, 2026
rafabd1 Credited to rafabd1, elliott-with-the-longest-name-on-github, dummdidumm, and anandmt elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
dummdidumm dummdidumm anandmt anandmt
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec High
GHSA-7m8x-qg2j-4m3v was published for github.com/fission/fission (Go) Jun 30, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
mldangelo-oai Credited to mldangelo-oai
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry Moderate
CVE-2026-50017 was published for pnpm (npm) Jun 26, 2026
mosskappa Credited to mosskappa
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions Moderate
CVE-2026-3636 was published for github.com/mattermost/mattermost-server (Go) May 26, 2026
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter Moderate
CVE-2026-49336 was published for @microsoft/kiota-http-fetchlibrary (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot, baywet, and adrian05-ms baywet baywet
adrian05-ms adrian05-ms
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources Moderate
CVE-2026-49288 was published for statamic/cms (Composer) Jun 26, 2026
offset Credited to offset, Eszh, and geo-chen Eszh Eszh
geo-chen geo-chen
ProTip! Advisories are also available from the GraphQL API