Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,759 advisories

Loading
OpenClaw MCP SSE redirects could forward Authorization headers Moderate
GHSA-9c3v-684m-579c was published for openclaw (npm) Jul 1, 2026
dingliweixlm-byte Credited to dingliweixlm-byte
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token High
CVE-2026-50143 was published for @apify/actors-mcp-server (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
goshs: Share-link ?token=… redemption races past download limit Moderate
CVE-2026-50139 was published for goshs.de/goshs/v2 (Go) Jul 1, 2026
black-shadow-007 Credited to black-shadow-007
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header Critical
CVE-2026-53943 was published for ghost (npm) Jul 1, 2026
Crypto-Cat Credited to Crypto-Cat
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags High
CVE-2026-50138 was published for goshs.de/goshs/v2 (Go) Jul 1, 2026
black-shadow-007 Credited to black-shadow-007
ORAS Go forwards registry credentials across registry redirects Moderate
GHSA-vh4v-2xq2-g5cg was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
mosskappa Credited to mosskappa
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
oras-go has file store write outside workingDir via symlink traversal Moderate
CVE-2026-50162 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
Keycloak has privilege escalation via improper scope mapping enforcement High
CVE-2026-9795 was published for org.keycloak:keycloak-services (Maven) Jul 1, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens Low
CVE-2026-48978 was published for oras.land/oras-go (Go) Jul 1, 2026
1seal Credited to 1seal
Rancher has Privilege Escalation from Project Owner to Host Critical
CVE-2026-41052 was published for github.com/rancher/rancher (Go) Jul 1, 2026
MMunier Credited to MMunier and Trolldemorted Trolldemorted Trolldemorted
@hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key Moderate
CVE-2026-48819 was published for @hey-api/openapi-ts (npm) Jul 1, 2026
programsurf Credited to programsurf, daeungdaeung, and yoonsh daeungdaeung daeungdaeung
yoonsh yoonsh
Rancher has over-inclusive team membership expansion in GitHub App authentication provider High
CVE-2026-41053 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer Critical
CVE-2026-44935 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml Moderate
CVE-2026-44936 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Rancher vulnerable to command injection through unsanitized YAML parameter Critical
CVE-2026-44939 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Ibonok Credited to Ibonok
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components High
CVE-2026-44937 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent High
CVE-2026-44938 was published for github.com/rancher/fleet (Go) Jul 1, 2026
QUIC has Broken TLS verification Critical
CVE-2026-49457 was published for quic (Erlang) Jul 1, 2026
benmmurphy Credited to benmmurphy
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass High
CVE-2026-49998 was published for github.com/centrifugal/centrifugo (Go) Jul 1, 2026
sondt99 Credited to sondt99
SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted Moderate
CVE-2026-49997 was published for surrealdb (Rust) Jul 1, 2026
ProTip! Advisories are also available from the GraphQL API