GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,334
Maven
5,000+
npm
5,000+
NuGet
1,031
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,497
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,345 advisories
Filter by severity
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization
High
GHSA-x8mg-6r4p-87pf
was published
for
com.arcadedb:arcadedb-server
(Maven)
Jul 16, 2026
ArcadeDB: Scripting authorization gate (GHSA-48qw-824m-86pr) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js
High
GHSA-vwjc-v7x7-cm6g
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
ArcadeDB: Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE)
High
GHSA-x9f9-r4m8-9xc2
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
High
CVE-2026-59950
was published
for
mcp
(pip)
Jul 16, 2026
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read
High
GHSA-48qw-824m-86pr
was published
for
com.arcadedb:arcadedb-server
(Maven)
Jul 16, 2026
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise
Critical
CVE-2026-55579
was published
for
pheditor/pheditor
(Composer)
Jul 16, 2026
Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection
High
CVE-2026-55578
was published
for
pheditor/pheditor
(Composer)
Jul 16, 2026
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured
Moderate
CVE-2026-52724
was published
for
github.com/kumahq/kuma
(Go)
Jul 16, 2026
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)
High
CVE-2026-54076
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users
High
CVE-2026-54077
was published
for
com.arcadedb:arcadedb-engine
(Maven)
Jul 16, 2026
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof
Low
CVE-2026-54542
was published
for
nimiq-primitives
(Rust)
Jul 16, 2026
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys
Low
CVE-2026-54541
was published
for
nimiq-primitives
(Rust)
Jul 16, 2026
Pheditor has an authenticated terminal command whitelist bypass
High
CVE-2026-54540
was published
for
pheditor/pheditor
(Composer)
Jul 16, 2026
MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal
High
CVE-2026-52869
was published
for
mcp
(pip)
Jul 16, 2026
MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks
High
CVE-2026-52870
was published
for
mcp
(pip)
Jul 16, 2026
Nuclio: Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container
Moderate
CVE-2026-52832
was published
for
github.com/nuclio/nuclio
(Go)
Jul 16, 2026
Nuclio: Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE
High
CVE-2026-52833
was published
for
github.com/nuclio/nuclio
(Go)
Jul 16, 2026
Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode
High
CVE-2026-53714
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
Diesel has possible use after free when deserializing a SQLite database via `SqliteConnection::deserialize_readonly_database`
Moderate
GHSA-ggxf-9f6j-w742
was published
for
diesel
(Rust)
Jul 16, 2026
Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure
Critical
CVE-2026-53713
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock
Moderate
CVE-2026-53715
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header
Moderate
CVE-2026-53717
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization
Moderate
CVE-2026-53719
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit
Moderate
CVE-2026-53716
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
Envoy Gateway custom backendRef cross-namespace ReferenceGrant bypass
Moderate
CVE-2026-53718
was published
for
github.com/envoyproxy/gateway
(Go)
Jul 16, 2026
ProTip!
Advisories are also available from the
GraphQL API