Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,624 advisories

Loading
nono-py's policy JSON accepts unknown security fields Moderate
GHSA-m8j6-rc5x-wv36 was published for nono-py (pip) Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion Moderate
GHSA-9j7f-3r4p-pwh6 was published for nono-py (pip) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels Moderate
GHSA-72w7-mf9g-733p was published for nono-py (pip) Jun 26, 2026
lukehinds Credited to lukehinds
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint Moderate
CVE-2026-41262 was published for github.com/fleetdm/fleet/v4 (Go) Jun 26, 2026
offset Credited to offset
Hysteria: http large header with sniff cause server DoS High
GHSA-jqc5-2p7q-fqfc was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria vulnerable to server crash when max_datagram_frame_size very small High
GHSA-qh5x-rfwf-rvfv was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths Moderate
GHSA-5vwr-qchf-q4pf was published for @cyclonedx/cdxgen (npm) Jun 26, 2026
aleff-github Credited to aleff-github
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing High
CVE-2026-48788 was published for github.com/umputun/remark42 (Go) Jun 26, 2026
ildkh Credited to ildkh
Apptainer has incorrect path matching for 'limit container paths' directive Moderate
CVE-2026-48785 was published for github.com/apptainer/apptainer (Go) Jun 26, 2026
dtrudg Credited to dtrudg
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Incus has an arbitrary file write on its client due to trusted image hash Critical
CVE-2026-48769 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
@sigstore/core has DSSE payloadType type-binding failure Moderate
CVE-2026-48758 was published for @sigstore/core (npm) Jun 26, 2026
Str1ckl4nd Credited to Str1ckl4nd and Zyy0530 Zyy0530 Zyy0530
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) Low
CVE-2026-48756 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus has an argument injection in backup compression algorithm leading to AFW and ACE Critical
CVE-2026-48755 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool} Low
CVE-2026-48754 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus has an arbitrary file write via path traversal in S3 multipart upload Critical
CVE-2026-48753 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has arbitrary file read+write on host via templates/ symlink in malicious image Critical
CVE-2026-48752 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has a restricted project bypass leading to arbitrary command execution Critical
CVE-2026-48751 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image Critical
CVE-2026-48750 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image Critical
CVE-2026-48749 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
ImageMagick has Null Pointer Dereference caused by the distort operation when passing incorrect arguments Moderate
CVE-2026-53463 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 26, 2026
007bsd Credited to 007bsd
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module High
CVE-2026-46623 was published for org.openidentityplatform.openam:openam-auth-oauth2 (Maven) Jun 26, 2026
wodzen Credited to wodzen
OpenAM Authentication Bypass via MSISDN LDAP Injection High
CVE-2026-46619 was published for org.openidentityplatform.openam:openam-auth-msisdn (Maven) Jun 26, 2026
wodzen Credited to wodzen
ProTip! Advisories are also available from the GraphQL API