Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,518 advisories

Loading
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key... Moderate Unreviewed
CVE-2026-40127 was published May 26, 2026
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM)... High Unreviewed
CVE-2026-35430 was published May 26, 2026
Authorization bypass in the entry duplication feature in Devolutions Server allows an... Low Unreviewed
CVE-2026-9248 was published May 26, 2026
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express... Low Unreviewed
CVE-2026-8347 was published May 26, 2026
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... High Unreviewed
CVE-2026-3473 was published May 26, 2026
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in... High Unreviewed
CVE-2026-8679 was published May 22, 2026
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express... Moderate Unreviewed
CVE-2026-7881 was published May 22, 2026
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[]... Low Unreviewed
CVE-2026-7886 was published May 22, 2026
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend... Moderate Unreviewed
CVE-2026-8204 was published May 21, 2026
Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and... High Unreviewed
CVE-2025-13479 was published May 21, 2026
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all... Moderate Unreviewed
CVE-2026-1881 was published May 21, 2026
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action... High Unreviewed
CVE-2026-9136 was published May 20, 2026
Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise Moderate
CVE-2026-9087 was published for org.keycloak:keycloak-services (Maven) May 20, 2026
phpMyFAQ: IDOR Account Takeover High
CVE-2026-35671 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is... Moderate Unreviewed
CVE-2026-6566 was published May 20, 2026
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-6072 was published May 20, 2026
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path Critical
GHSA-g53w-w6mj-hrpp was published for github.com/Kuadrant/mcp-gateway (Go) May 19, 2026
Bhuvanesh66 Credited to Bhuvanesh66
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the ... Critical Unreviewed
CVE-2026-42097 was published May 19, 2026
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object... Moderate Unreviewed
CVE-2026-4630 was published May 19, 2026
Keycloak: Information Disclosure via evaluate-scopes Admin API Moderate
CVE-2026-37978 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
The create and edit flows do not restrict which user properties may be submitted and do not... Moderate Unreviewed
CVE-2026-46721 was published May 19, 2026
Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows... Critical Unreviewed
CVE-2026-41947 was published May 18, 2026
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview... High Unreviewed
CVE-2026-41949 was published May 18, 2026
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database