Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,713 advisories

Loading
SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages Moderate
GHSA-6g9v-7gq3-p2c6 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls Moderate
GHSA-4m82-p8cx-f94j was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan and addcontent addcontent addcontent
SurrealDB vulnerable to pre-auth memory amplification via unbounded `/sql` WebSocket frames Moderate
GHSA-65rj-r9fh-jp2v was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Authorization Bypass in KILL Statement Allows Termination of Other Users' Live Queries Moderate
GHSA-gcwr-5mrf-fvch was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan
SurrealDB has an Authorization Bypass via Composite Record-id Paths Moderate
GHSA-6vg3-hgrw-p5gf was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions Moderate
GHSA-vjjx-rfw4-rmfc was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level Moderate
GHSA-98fx-66cf-fc7c was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan
SurrealDB vulnerable to Denial of Service due to nested types annotations Moderate
GHSA-q8qp-67f9-wr3f was published for surrealdb (Rust) Jul 1, 2026
DarkaMaul Credited to DarkaMaul
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call High
GHSA-wjjj-24cx-f28g was published for surrealdb (Rust) Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects High
GHSA-q729-696q-g9pq was published for surrealdb (Rust) Jul 1, 2026
DarkaMaul Credited to DarkaMaul
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation High
GHSA-4vgr-h27g-cf9p was published for surrealdb (Rust) Jul 1, 2026
addcontent Credited to addcontent
addcontent Credited to addcontent
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced High
CVE-2026-48815 was published for sigstore (npm) Jul 1, 2026
Jvr2022 Credited to Jvr2022, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
sigstore-js has Insufficient Verification of Data Authenticity Moderate
CVE-2026-48816 was published for @sigstore/verify (npm) Jul 1, 2026
1seal Credited to 1seal, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
CrateDB's Blob HTTP handler bypasses authorization Low
CVE-2026-49989 was published for io.crate:crate (Maven) Jul 1, 2026
fab1ano Credited to fab1ano and matriv matriv matriv
Kimai Password Reset Link Remains Valid After Password Change Low
GHSA-m492-gv72-xvxj was published for kimai/kimai (Composer) Jul 1, 2026
AzureADTrent Credited to AzureADTrent
repomix: attach_packed_output can bypass file-read secret scanning for supported local files Moderate
CVE-2026-49988 was published for repomix (npm) Jul 1, 2026
dodge1218 Credited to dodge1218
Concourse login flow has an open redirect issue Low
CVE-2026-49826 was published for github.com/concourse/concourse (Go) Jul 1, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection High
CVE-2026-49987 was published for repomix (npm) Jul 1, 2026
kakashi-kx Credited to kakashi-kx
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
fabpot Credited to fabpot
Constrata's coordinator transit engine `ciphertextContainer.UnmarshalJSON` panics on attacker-controlled short ciphertexts Moderate
GHSA-3ccm-4qq2-5wrp was published for github.com/edgelesssys/contrast (Go) Jul 1, 2026
offset Credited to offset
Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR` High
CVE-2026-49986 was published for neuro-cortex-memory (pip) Jul 1, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
ProTip! Advisories are also available from the GraphQL API