GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,199
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,435
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,713 advisories
Filter by severity
SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages
Moderate
GHSA-6g9v-7gq3-p2c6
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls
Moderate
GHSA-4m82-p8cx-f94j
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB vulnerable to pre-auth memory amplification via unbounded `/sql` WebSocket frames
Moderate
GHSA-65rj-r9fh-jp2v
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Authorization Bypass in KILL Statement Allows Termination of Other Users' Live Queries
Moderate
GHSA-gcwr-5mrf-fvch
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required
Moderate
GHSA-4v76-cw68-4vc9
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has an Authorization Bypass via Composite Record-id Paths
Moderate
GHSA-6vg3-hgrw-p5gf
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions
Moderate
GHSA-vjjx-rfw4-rmfc
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level
Moderate
GHSA-98fx-66cf-fc7c
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB vulnerable to Denial of Service due to nested types annotations
Moderate
GHSA-q8qp-67f9-wr3f
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
High
GHSA-wjjj-24cx-f28g
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects
High
GHSA-q729-696q-g9pq
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation
High
GHSA-4vgr-h27g-cf9p
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
High
GHSA-5qfp-32cf-69jh
was published
for
surrealdb
(Rust)
Jul 1, 2026
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
High
CVE-2026-48815
was published
for
sigstore
(npm)
Jul 1, 2026
sigstore-js has Insufficient Verification of Data Authenticity
Moderate
CVE-2026-48816
was published
for
@sigstore/verify
(npm)
Jul 1, 2026
CrateDB's Blob HTTP handler bypasses authorization
Low
CVE-2026-49989
was published
for
io.crate:crate
(Maven)
Jul 1, 2026
Kimai Password Reset Link Remains Valid After Password Change
Low
GHSA-m492-gv72-xvxj
was published
for
kimai/kimai
(Composer)
Jul 1, 2026
repomix: attach_packed_output can bypass file-read secret scanning for supported local files
Moderate
CVE-2026-49988
was published
for
repomix
(npm)
Jul 1, 2026
Concourse login flow has an open redirect issue
Low
CVE-2026-49826
was published
for
github.com/concourse/concourse
(Go)
Jul 1, 2026
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection
High
CVE-2026-49987
was published
for
repomix
(npm)
Jul 1, 2026
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
High
CVE-2026-49981
was published
for
twig/twig
(Composer)
Jul 1, 2026
Constrata's coordinator transit engine `ciphertextContainer.UnmarshalJSON` panics on attacker-controlled short ciphertexts
Moderate
GHSA-3ccm-4qq2-5wrp
was published
for
github.com/edgelesssys/contrast
(Go)
Jul 1, 2026
Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries
Low
GHSA-6c87-g9pw-78fx
was published
for
github.com/edgelesssys/contrast
(Go)
Jul 1, 2026
Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`
High
CVE-2026-49986
was published
for
neuro-cortex-memory
(pip)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API