Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,624 advisories

Loading
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance High
CVE-2026-49822 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration High
CVE-2026-49821 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec High
GHSA-7m8x-qg2j-4m3v was published for github.com/fission/fission (Go) Jun 30, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Sigstore Java has a vulnerability with bundle verification of integratedTime Low
CVE-2026-48791 was published for dev.sigstore:sigstore-java (Maven) Jun 30, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation High
CVE-2026-49473 was published for @cedar-policy/authorization-for-expressjs (npm) Jun 30, 2026
Kahi has privilege-drop and socket/log permission issues High
GHSA-55f6-4pr5-c7m5 was published for github.com/kahiteam/kahi (Go) Jun 30, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout High
CVE-2026-47198 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API Moderate
CVE-2023-46118 was published for rabbit_common (Erlang) Jun 30, 2026
NSEcho Credited to NSEcho
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins Moderate
CVE-2022-31008 was published for rabbit_common (Erlang) Jun 30, 2026
Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing High
CVE-2026-49451 was published for Microsoft.OpenAPI (NuGet) Jun 30, 2026
baywet Credited to baywet
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query High
CVE-2026-44840 was published for github.com/dgraph-io/dgraph/v25 (Go) Jun 29, 2026
SnailSploit Credited to SnailSploit
OpenAM OAuth Authorization Bypass via PKCE Challenge Moderate
CVE-2026-48717 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM OAuth Client Impersonation via JWKS Resolver Cache High
CVE-2026-47426 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM Authenticated RCE via Groovy Sandbox Escape High
CVE-2026-47424 was published for org.openidentityplatform.openam:openam-scripting (Maven) Jun 29, 2026
wodzen Credited to wodzen
5h1kh4r Credited to 5h1kh4r
pnpm: `patch-remove` could delete project-selected files outside the patches directory High
GHSA-72r4-9c5j-mj57 was published for pnpm (npm) Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules High
GHSA-fr4h-3cph-29xv was published for pnpm (npm) Jun 27, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
pnpm: Reserved bin name deletes PNPM_HOME during global remove Moderate
CVE-2026-55699 was published for pnpm (npm) Jun 26, 2026
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) High
CVE-2026-49338 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
therawdev Credited to therawdev
pnpm: Repository-controlled configDependencies can select a pacquet native install engine High
CVE-2026-55697 was published for pnpm (npm) Jun 26, 2026
ProTip! Advisories are also available from the GraphQL API