close
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,022
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31,731 advisories

Loading
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass Low
CVE-2026-54326 was published for @earendil-works/pi-coding-agent (npm) Jun 16, 2026
urianpaul94 Credited to urianpaul94
Gitea: Token scope bypass on web archive download endpoint Moderate
CVE-2026-20706 was published for code.gitea.io/gitea (Go) Jun 16, 2026
geoo115 Credited to geoo115
Gitea: Missing repository-unit authorization on issue-template API endpoints Moderate
CVE-2026-27783 was published for code.gitea.io/gitea (Go) Jun 16, 2026
hoangperry Credited to hoangperry
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw Moderate
CVE-2026-25714 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Medoedus Credited to Medoedus
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
Gogs: Overwriting critical files results in a denial of service High
CVE-2026-52797 was published for gogs.io/gogs (Go) Jun 16, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix Critical
CVE-2026-49980 was published for github.com/rclone/rclone (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki and ncw ncw ncw
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g) Moderate
CVE-2026-49993 was published for @nuxt/rspack-builder (npm) Jun 16, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2 and DavidCarliez DavidCarliez DavidCarliez
Cross-site scripting via <NoScript> slot content in Nuxt's head components Low
GHSA-m3q2-p4fw-w38m was published for nuxt (npm) Jun 16, 2026
alcls01111 Credited to alcls01111
LiteLLM: Authentication Bypass via Host Header Injection Critical
CVE-2026-49468 was published for litellm (pip) Jun 16, 2026
LilThawg29 Credited to LilThawg29
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens High
CVE-2026-28744 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ohxorud-dev Credited to ohxorud-dev and lunny lunny lunny
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host High
CVE-2026-54304 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions High
CVE-2026-54309 was published for n8n (npm) Jun 16, 2026
ESPanda666 Credited to ESPanda666
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High
CVE-2026-54305 was published for n8n (npm) Jun 16, 2026
Solidscripting Credited to Solidscripting
n8n: Credential Exfiltration via Permission Bypass High
CVE-2026-54307 was published for n8n (npm) Jun 16, 2026
n8n: Denial of Service via ZIP decompression in webhook workflow Moderate
CVE-2026-54314 was published for n8n (npm) Jun 16, 2026
n8n: Public API Execution Retry Authorization Bypass Moderate
GHSA-h3jj-5f3v-3685 was published for n8n (npm) Jun 16, 2026
ksw9722 Credited to ksw9722
n8n: Python Code Node AST Validator Bypass Moderate
GHSA-jwm3-qcfw-c5pp was published for n8n (npm) Jun 16, 2026
Mistz1 Credited to Mistz1
n8n: Stored XSS in Chat Trigger Node High
CVE-2026-54302 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints Moderate
CVE-2026-54303 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Microsoft SQL Node Prototype Pollution High
CVE-2026-54312 was published for n8n (npm) Jun 16, 2026
s2ongmo Credited to s2ongmo
yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp High
GHSA-69qj-pvh9-c5wg was published for yt-dlp (pip) Jun 16, 2026
independent-arg Credited to independent-arg, bashonly, and Grub4K bashonly bashonly
Grub4K Grub4K
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles High
CVE-2026-54322 was published for github.com/daytonaio/daytona (Go) Jun 16, 2026
vnth4nhnt Credited to vnth4nhnt and mrknight-n1du mrknight-n1du mrknight-n1du
Caddy: stripHTML template function bypass Moderate
CVE-2026-52846 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
jmrcsnchz Credited to jmrcsnchz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database