GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,258
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,977 advisories
Filter by severity
cut: -s ignored in -z -d '' newline-delimiter mode
Low
CVE-2026-35381
was published
for
uu_cut
(Rust)
Jul 6, 2026
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)
Low
CVE-2026-35361
was published
for
uu_mknod
(Rust)
Jul 6, 2026
mkfifo: permissions of an existing file are changed after FIFO creation fails
High
CVE-2026-35341
was published
for
uu_mkfifo
(Rust)
Jul 6, 2026
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export
High
GHSA-cgfv-jrfp-2r7v
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)
Low
CVE-2026-55630
was published
for
kiwitcms
(pip)
Jul 6, 2026
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
High
CVE-2026-55794
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: Stored XSS via Structure entry title in table view
Moderate
CVE-2026-55793
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: Sensitive File Disclosure / Server-Side File Read
Moderate
CVE-2026-55792
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
High
CVE-2026-55790
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint
Moderate
CVE-2026-54724
was published
for
kiwitcms
(pip)
Jul 6, 2026
Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness
Critical
CVE-2026-54496
was published
for
halo2_gadgets
(Rust)
Jul 6, 2026
Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Critical
CVE-2026-55615
was published
for
langroid
(pip)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Moderate
CVE-2026-55438
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command
High
CVE-2026-55426
was published
for
linuxfabrik-lib
(pip)
Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Moderate
CVE-2026-55437
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
High
CVE-2026-55436
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Moderate
CVE-2026-55435
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Moderate
CVE-2026-55434
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Moderate
CVE-2026-55433
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Moderate
CVE-2026-55432
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
High
CVE-2026-55431
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
ProTip!
Advisories are also available from the
GraphQL API