Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

34 advisories

Loading
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler Moderate
GHSA-mxwc-wh95-pw4g was published for trapster (pip) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests High
CVE-2026-50197 was published for github.com/zalando/skipper (Go) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Weblate SSRF: outbound URL guard misses some private ranges Moderate
CVE-2026-50127 was published for weblate (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot and nijel nijel nijel
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion Moderate
GHSA-f66q-9rf6-8795 was published for Flask-Security-Too (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers Critical
CVE-2026-53552 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address Moderate
CVE-2026-53533 was published for aiosmtplib (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile Moderate
CVE-2026-54637 was published for d7y.io/dragonfly/v2 (Go) Jul 6, 2026
tonghuaroot Credited to tonghuaroot and gaius-qi gaius-qi gaius-qi
tonghuaroot Credited to tonghuaroot
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container Moderate
CVE-2026-50565 was published for github.com/fission/fission (Go) Jun 30, 2026
tonghuaroot Credited to tonghuaroot and sanketsudake sanketsudake sanketsudake
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter Moderate
CVE-2026-49336 was published for @microsoft/kiota-http-fetchlibrary (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot, baywet, and adrian05-ms baywet baywet
adrian05-ms adrian05-ms
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) Low
CVE-2026-48756 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool} Low
CVE-2026-48754 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-48504 was published for opentelemetry_sdk (Rust) Jun 25, 2026
tonghuaroot Credited to tonghuaroot and lalitb lalitb lalitb
tonghuaroot Credited to tonghuaroot
ProTip! Advisories are also available from the GraphQL API