Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,204 advisories

Loading
DIRAC: SQL injection and lack of access control in PilotManager service High
GHSA-7xw9-549r-8jrc was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
DIRAC: Pilot code downloaded over unverified HTTPS connection High
CVE-2026-61668 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval Critical
CVE-2026-61667 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
Apollo ConfigService access key authentication bypass via raw config file appId parsing High
CVE-2026-59955 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching High
CVE-2026-59954 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
NukeViet: Pre-authentication SSRF via X-Forwarded-Host High
CVE-2026-55372 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function High
CVE-2026-54065 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module High
CVE-2026-54064 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and g03m0n g03m0n g03m0n
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-49259 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
0xGunrunner Credited to 0xGunrunner
NukeViet: Unauthenticated Reflected XSS in Comment Module High
CVE-2026-48118 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and 0xGunrunner 0xGunrunner 0xGunrunner
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input Critical
CVE-2026-45579 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
Decidim: Push subscriptions can be abused for server-side requests Moderate
CVE-2026-45573 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: HTML content blocks allow stored script execution Moderate
CVE-2026-45572 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: CSV census record endpoints improper authorization Moderate
CVE-2026-45415 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations High
CVE-2026-45414 was published for decidim (RubyGems) Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links High
CVE-2026-45378 was published for decidim-verifications (RubyGems) Jul 13, 2026
andreslucena Credited to andreslucena
Decidim: Private exports can be downloaded through reusable links Moderate
CVE-2026-45377 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting Moderate
CVE-2026-45376 was published for decidim-admin (RubyGems) Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations Moderate
CVE-2026-45330 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: Forms admin question editor lacks authorization Moderate
CVE-2026-45086 was published for decidim-demographics (RubyGems) Jul 13, 2026
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center Moderate
CVE-2025-32781 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
lesignals Credited to lesignals
GeoNode: Stored XSS to full account takeover Moderate
CVE-2024-27091 was published for geonode (pip) Jul 13, 2026
ImThatT Credited to ImThatT
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
ProTip! Advisories are also available from the GraphQL API