GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,282 advisories
Filter by severity
MantisBT: Stored XSS in print_all_bug_page_word.php
High
CVE-2026-62944
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs
Moderate
CVE-2026-52883
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters
Moderate
CVE-2026-52882
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: Reflected XSS in admin/install.php via unescaped printf
Critical
CVE-2026-52881
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: Reflected XSS in admin/install.php
Critical
CVE-2026-52847
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
Koel: Full-read SSRF via podcast enclosure URL: isPublicHost() filter_var guard does not reject NAT64 (64:ff9b::/96) or 6to4 (2002::/16) IPv6-transition wrappers of internal IPv4
Moderate
CVE-2026-54494
was published
for
phanan/koel
(Composer)
Jul 15, 2026
Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail
Moderate
CVE-2026-50552
was published
for
phanan/koel
(Composer)
Jul 15, 2026
Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths
High
CVE-2026-54491
was published
for
phanan/koel
(Composer)
Jul 15, 2026
Protobuf: Unbounded recursion depth in embedded-message decoding
High
CVE-2026-54451
was published
for
protobuf
(Erlang)
Jul 15, 2026
LangBot: Authenticated RCE Via MCP Configuration
High
CVE-2026-54449
was published
for
langbot
(pip)
Jul 15, 2026
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
High
CVE-2026-54447
was published
for
garminconnect
(pip)
Jul 15, 2026
Koel has SSRF through Authenticated Subsonic podcast feed URLs
Moderate
GHSA-8q6q-m837-fv64
was published
for
phanan/koel
(Composer)
Jul 15, 2026
Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations
High
CVE-2026-54493
was published
for
phanan/koel
(Composer)
Jul 15, 2026
Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation
Moderate
CVE-2026-54492
was published
for
phanan/koel
(Composer)
Jul 15, 2026
MantisBT: REST API unauthorized Issue status change
Moderate
CVE-2026-49280
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php
High
CVE-2026-49273
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator
Critical
CVE-2026-47156
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
MantisBT: SQL Injection via history_order Configuration Value
High
CVE-2026-47142
was published
for
mantisbt/mantisbt
(Composer)
Jul 15, 2026
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE
Critical
GHSA-hgjx-r89m-m7v4
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
High
CVE-2026-54446
was published
for
netlicensing-mcp
(pip)
Jul 14, 2026
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
High
CVE-2026-61549
was published
for
github.com/woodpecker-ci/woodpecker
(Go)
Jul 14, 2026
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
High
GHSA-7rx3-5wx3-5v76
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Certificate revocation is never enforced at the mesh
High
CVE-2026-61699
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode
Moderate
CVE-2026-55608
was published
for
n8n-mcp
(npm)
Jul 14, 2026
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens
Moderate
CVE-2026-55513
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
ProTip!
Advisories are also available from the
GraphQL API