GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,177 advisories
Filter by severity
Weblate SSRF: outbound URL guard misses some private ranges
Moderate
CVE-2026-50127
was published
for
weblate
(pip)
Jul 7, 2026
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Moderate
CVE-2026-53508
was published
for
github.com/oasdiff/oasdiff
(Go)
Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
Moderate
CVE-2026-53572
was published
for
github.com/kedacore/keda/v2
(Go)
Jul 7, 2026
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion
Moderate
GHSA-f66q-9rf6-8795
was published
for
Flask-Security-Too
(pip)
Jul 7, 2026
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
High
CVE-2026-53553
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Moderate
GHSA-q855-8rh5-jfgq
was published
for
ha-mcp
(pip)
Jul 7, 2026
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Low
GHSA-cwv4-h3j5-w3cf
was published
for
rama
(Rust)
Jul 7, 2026
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
Moderate
CVE-2026-53533
was published
for
aiosmtplib
(pip)
Jul 7, 2026
Kite has an authenticated cluster RBAC bypass in /api/v1/overview
Moderate
CVE-2026-53487
was published
for
github.com/zxh326/kite
(Go)
Jul 7, 2026
Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection
Low
GHSA-gq4g-fpc9-vjfq
was published
for
web-auth/webauthn-lib
(Composer)
Jul 7, 2026
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)
Moderate
CVE-2026-53531
was published
for
ratex-parser
(Rust)
Jul 7, 2026
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice)
High
CVE-2026-53530
was published
for
ratex-parser
(Rust)
Jul 7, 2026
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
High
GHSA-j8v8-g9cx-5qf4
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Low
GHSA-2vg6-77g8-24mp
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
High
GHSA-9h47-pqcx-hjr4
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
High
GHSA-86j7-9j95-vpqj
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
High
CVE-2026-53516
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
High
CVE-2026-53514
was published
for
better-auth
(npm)
Jul 7, 2026
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
Moderate
GHSA-p2fr-6hmx-4528
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
netfoil: Attacker controlled data written to logs
Low
GHSA-7856-g3gv-9wq8
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
ProTip!
Advisories are also available from the
GraphQL API