Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,317 advisories

Loading
ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation) Low
CVE-2026-58196 was published for github.com/stacklok/toolhive (Go) Jul 15, 2026
bIackr0se Credited to bIackr0se, jhrozek, JAORMX, ChrisJBurns, and rdimitrov jhrozek jhrozek
JAORMX JAORMX ChrisJBurns ChrisJBurns rdimitrov rdimitrov
adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files Moderate
GHSA-xg43-5579-qw6v was published for adawolfa/isdoc (Composer) Jul 15, 2026
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default High
CVE-2026-54504 was published for @andrea9293/mcp-documentation-server (npm) Jul 15, 2026
tonghuaroot Credited to tonghuaroot
Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback High
CVE-2026-50285 was published for github.com/pomerium/pomerium (Go) Jul 15, 2026
bugbunny-research Credited to bugbunny-research
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50276 was published for datadog (RubyGems) Jul 15, 2026
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50274 was published for github.com/DataDog/dd-trace-go (Go) Jul 15, 2026
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50273 was published for Datadog.Trace (NuGet) Jul 15, 2026
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50272 was published for dd-trace (npm) Jul 15, 2026
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50271 was published for ddtrace (pip) Jul 15, 2026
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50270 was published for com.datadoghq:dd-java-agent (Maven) Jul 15, 2026
ViewComponent: Reused Component Instances Retain Stale Render Context Moderate
CVE-2026-54497 was published for view_component (RubyGems) Jul 15, 2026
cyberlanc3r Credited to cyberlanc3r
ViewComponent: around_render HTML-Safety Bypass High
CVE-2026-54498 was published for view_component (RubyGems) Jul 15, 2026
cyberlanc3r Credited to cyberlanc3r
open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters Moderate
CVE-2026-54495 was published for github.com/open-feature/open-feature-operator (Go) Jul 15, 2026
0xVijay Credited to 0xVijay
django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization High
GHSA-r3hx-x5rh-p9vv was published for django-haystack (pip) Jul 15, 2026
serde_with: KeyValueMap serialization panics on empty sequence or map entries Moderate
GHSA-7gcf-g7xr-8hxj was published for serde_with (Rust) Jul 15, 2026
7thParkk Credited to 7thParkk
websocket-driver: Resource limit bypass via message compression Moderate
CVE-2026-54490 was published for websocket-driver (npm) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Message corruption via abuse of protocol length headers Critical
CVE-2026-54466 was published for websocket-driver (npm) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Memory exhaustion in HTTP header parser Moderate
CVE-2026-54465 was published for websocket-driver (RubyGems) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Resource limit bypass via message compression Moderate
CVE-2026-54464 was published for websocket-driver (RubyGems) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
websocket-driver: Memory exhaustion via abuse of protocol length headers Moderate
CVE-2026-54463 was published for websocket-driver (RubyGems) Jul 15, 2026
pranjalithakur Credited to pranjalithakur
Pixeldrain API key shared with unverified thirdparty sites Moderate
CVE-2026-54254 was published for cyberdrop-dl-patched (pip) Jul 15, 2026
NTFSvolume Credited to NTFSvolume
TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint High
CVE-2026-54457 was published for tensorzero (pip) Jul 15, 2026
geo-chen Credited to geo-chen
safeurl is Missing IPv6 CIDR Ranges in Blocklist Moderate
CVE-2026-54452 was published for github.com/doyensec/safeurl (Go) Jul 15, 2026
tonghuaroot Credited to tonghuaroot
vittorio-prodomo Credited to vittorio-prodomo, mo-getter, benjaminpkane, kevin-dimichel, AdonaiVera, and AAtomical mo-getter mo-getter
benjaminpkane benjaminpkane kevin-dimichel kevin-dimichel AdonaiVera AdonaiVera AAtomical AAtomical
ProTip! Advisories are also available from the GraphQL API