Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,624 advisories

Loading
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
mldangelo-oai Credited to mldangelo-oai
ImageMagick has a Heap Buffer Over-Write in SF3 encoder when writing multi-frame image Moderate
CVE-2026-53465 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 26, 2026
007bsd Credited to 007bsd
ImageMagick: Memory Leak in wand option parser when providing invalid arguments Moderate
CVE-2026-53464 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 26, 2026
007bsd Credited to 007bsd
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection Moderate
CVE-2026-53523 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS Moderate
CVE-2026-53522 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Statamic Vulnerable to CSV formula injection in form submission exports Moderate
CVE-2026-54243 was published for statamic/cms (Composer) Jun 26, 2026
kah-ja Credited to kah-ja
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context Moderate
CVE-2026-53521 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
baradika Credited to baradika
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) High
CVE-2026-50015 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry Moderate
CVE-2026-50017 was published for pnpm (npm) Jun 26, 2026
mosskappa Credited to mosskappa
aszx87410 Credited to aszx87410
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit Moderate
CVE-2026-50014 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field Moderate
CVE-2026-50021 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm: Unsafe default behavior breaks integrity check Moderate
CVE-2026-50573 was published for pnpm (npm) Jun 26, 2026
aszx87410 Credited to aszx87410
ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass High
CVE-2026-47074 was published for ex_aws_sns (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich, bernardd, and maennchen bernardd bernardd
maennchen maennchen
js-toml has silent type confusion via falsy-primitive duplicate-key bypass Moderate
CVE-2026-50029 was published for js-toml (npm) Jun 26, 2026
CosmicCrusader23 Credited to CosmicCrusader23
regclient may leak authentication credentials to external blob stores Moderate
CVE-2026-49349 was published for github.com/regclient/regclient (Go) Jun 26, 2026
GimmyDatBeeR Credited to GimmyDatBeeR and sudo-bmitch sudo-bmitch sudo-bmitch
Authelia has an Edge Case Access Control Rule Mismatch Low
CVE-2026-48794 was published for github.com/authelia/authelia/v4 (Go) Jun 26, 2026
j0hndo Credited to j0hndo, james-d-elliott, Crowley723, and nightah james-d-elliott james-d-elliott
Crowley723 Crowley723 nightah nightah
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Critical
GHSA-q6xx-5vr8-p898 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2
Blnk has an API key authorization bypass in owner and scope enforcement High
GHSA-wcr3-9x4c-f5gj was published for github.com/blnkfinance/blnk (Go) Jun 26, 2026
Shivam8584 Credited to Shivam8584
YARD static cache reads raw traversal paths before router sanitization Moderate
CVE-2026-49342 was published for yard (RubyGems) Jun 26, 2026
hibrian827 Credited to hibrian827
ProTip! Advisories are also available from the GraphQL API