Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,624 advisories

Loading
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call High
CVE-2026-49291 was published for mcp-memory-service (pip) Jun 26, 2026
DavidCarliez Credited to DavidCarliez
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers Moderate
GHSA-75mw-h36v-2jv7 was published for dosage (pip) Jun 26, 2026
yueyueL Credited to yueyueL
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction Low
GHSA-v2jf-442r-6mjh was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs Moderate
GHSA-q683-8468-r6h6 was published for web-auth/webauthn-symfony-bundle (Composer) Jun 26, 2026
CakePHP: View::element() is missing a path containment check Moderate
CVE-2026-48820 was published for cakephp/cakephp (Composer) Jun 26, 2026
z3moo Credited to z3moo, get-wright, markstory, and dereuromark get-wright get-wright
markstory markstory dereuromark dereuromark
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server High
GHSA-3p34-w4f6-5xh2 was published for better-helperjs (npm) Jun 26, 2026
TurboRigby Credited to TurboRigby
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key High
GHSA-fhp4-pr5j-46m5 was published for muhammara (npm) Jun 26, 2026
r3d5t0x3 Credited to r3d5t0x3
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system Moderate
GHSA-j7f5-gfqm-pcx3 was published for pterodactyl/panel (Composer) Jun 26, 2026
CybranceeHosting Credited to CybranceeHosting, YoloFTW, and TheCyberDesk YoloFTW YoloFTW
TheCyberDesk TheCyberDesk
Pterodactyl Wings: Chmod operation can be used to change permissions of files outside of the server container Moderate
GHSA-rhq6-9rgh-v45c was published for github.com/pterodactyl/wings (Go) Jun 26, 2026
Vz0n Credited to Vz0n
Flawfinder output manipulation via untrusted filenames and source text Low
CVE-2026-48813 was published for flawfinder (pip) Jun 26, 2026
python-socketio: Binary attachment accumulation can cause denial of service High
CVE-2026-48804 was published for python-socketio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
python-engineio has unbound thread allocation that can cause denial of service High
CVE-2026-48802 was published for python-engineio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin Critical
GHSA-98x5-vq43-vc5p was published for semantic-router (pip) Jun 26, 2026
jamescalam Credited to jamescalam
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced High
CVE-2026-48809 was published for python-engineio (pip) Jun 26, 2026
LinkifyIt#match scan loop has quadratic algorithmic complexity High
CVE-2026-48801 was published for linkify-it (npm) Jun 26, 2026
hillalee Credited to hillalee
turso-cli persists Turso platform JWT with world-readable (0o644) file permissions Moderate
CVE-2026-48790 was published for github.com/tursodatabase/turso-cli (Go) Jun 26, 2026
ProTip! Advisories are also available from the GraphQL API