Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,345 advisories

Loading
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization High
GHSA-x8mg-6r4p-87pf was published for com.arcadedb:arcadedb-server (Maven) Jul 16, 2026
ArcadeDB: Scripting authorization gate (GHSA-48qw-824m-86pr) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js High
GHSA-vwjc-v7x7-cm6g was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ArcadeDB: Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE) High
GHSA-x9f9-r4m8-9xc2 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
MCP Python SDK: WebSocket server transport does not support Host/Origin validation High
CVE-2026-59950 was published for mcp (pip) Jul 16, 2026
nitish-yaddala Credited to nitish-yaddala, Nadav0077, dodge1218, gistrec, and u-ktdi Nadav0077 Nadav0077
dodge1218 dodge1218 gistrec gistrec u-ktdi u-ktdi
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read High
GHSA-48qw-824m-86pr was published for com.arcadedb:arcadedb-server (Maven) Jul 16, 2026
kyojune76 Credited to kyojune76
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise Critical
CVE-2026-55579 was published for pheditor/pheditor (Composer) Jul 16, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured Moderate
CVE-2026-52724 was published for github.com/kumahq/kuma (Go) Jul 16, 2026
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221) High
CVE-2026-54076 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users High
CVE-2026-54077 was published for com.arcadedb:arcadedb-engine (Maven) Jul 16, 2026
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof Low
CVE-2026-54542 was published for nimiq-primitives (Rust) Jul 16, 2026
paberr Credited to paberr and Piravlos Piravlos Piravlos
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys Low
CVE-2026-54541 was published for nimiq-primitives (Rust) Jul 16, 2026
paberr Credited to paberr and Piravlos Piravlos Piravlos
Pheditor has an authenticated terminal command whitelist bypass High
CVE-2026-54540 was published for pheditor/pheditor (Composer) Jul 16, 2026
shanjijian Credited to shanjijian
srikanthramu Credited to srikanthramu and hewei-gikaku hewei-gikaku hewei-gikaku
cjmielke Credited to cjmielke, dewankpant, and shrutilohani dewankpant dewankpant
shrutilohani shrutilohani
Nuclio: Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container Moderate
CVE-2026-52832 was published for github.com/nuclio/nuclio (Go) Jul 16, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Nuclio: Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE High
CVE-2026-52833 was published for github.com/nuclio/nuclio (Go) Jul 16, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode High
CVE-2026-53714 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
cnvergence Credited to cnvergence, zirain, guydc, and dashingDragon zirain zirain
guydc guydc dashingDragon dashingDragon
Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure Critical
CVE-2026-53713 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
rudrakhp Credited to rudrakhp and dashingDragon dashingDragon dashingDragon
Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock Moderate
CVE-2026-53715 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
zhaohuabing Credited to zhaohuabing
Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header Moderate
CVE-2026-53717 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
zhaohuabing Credited to zhaohuabing
Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization Moderate
CVE-2026-53719 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit Moderate
CVE-2026-53716 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
zhaohuabing Credited to zhaohuabing
Envoy Gateway custom backendRef cross-namespace ReferenceGrant bypass Moderate
CVE-2026-53718 was published for github.com/envoyproxy/gateway (Go) Jul 16, 2026
ProTip! Advisories are also available from the GraphQL API