Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,177 advisories

Loading
Weblate SSRF: outbound URL guard misses some private ranges Moderate
CVE-2026-50127 was published for weblate (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot and nijel nijel nijel
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read) Moderate
CVE-2026-53508 was published for github.com/oasdiff/oasdiff (Go) Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping Moderate
CVE-2026-53572 was published for github.com/kedacore/keda/v2 (Go) Jul 7, 2026
mert2m Credited to mert2m
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion Moderate
GHSA-f66q-9rf6-8795 was published for Flask-Security-Too (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise High
CVE-2026-53553 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
What-canIsay Credited to What-canIsay
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers Critical
CVE-2026-53552 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path Moderate
GHSA-q855-8rh5-jfgq was published for ha-mcp (pip) Jul 7, 2026
bharat Credited to bharat
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address Moderate
CVE-2026-53533 was published for aiosmtplib (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Kite has an authenticated cluster RBAC bypass in /api/v1/overview Moderate
CVE-2026-53487 was published for github.com/zxh326/kite (Go) Jul 7, 2026
DavidCarliez Credited to DavidCarliez
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice) High
CVE-2026-53530 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers High
GHSA-j8v8-g9cx-5qf4 was published for @better-auth/scim (npm) Jul 7, 2026
Jvr2022 Credited to Jvr2022
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
chdanielmueller Credited to chdanielmueller
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
subhanUmer Credited to subhanUmer
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp High
GHSA-86j7-9j95-vpqj was published for better-auth (npm) Jul 7, 2026
hillalee Credited to hillalee
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators Moderate
GHSA-p2fr-6hmx-4528 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
dvanmali Credited to dvanmali
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
netfoil: Attacker controlled data written to logs Low
GHSA-7856-g3gv-9wq8 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
ProTip! Advisories are also available from the GraphQL API