Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32,719 advisories

Loading
SurrealDB: Field-level SELECT permissions bypassed via indexed COUNT fast paths Moderate
GHSA-c8jx-96c9-8xrp was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization Moderate
GHSA-wp87-mgvq-5j93 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirect Moderate
GHSA-97vg-427p-8hx5 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptions Moderate
GHSA-6wqw-vhfr-9999 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: `RELATE` overwrites existing edge records without `UPDATE` permission Moderate
GHSA-f82j-v89j-mf86 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB has bypass of field-level SELECT permissions through JSON Patch `copy` and `move` with empty `from` Moderate
GHSA-fpxg-5xmv-922m was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages Moderate
GHSA-6g9v-7gq3-p2c6 was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls Moderate
GHSA-4m82-p8cx-f94j was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan and addcontent addcontent addcontent
SurrealDB vulnerable to pre-auth memory amplification via unbounded `/sql` WebSocket frames Moderate
GHSA-65rj-r9fh-jp2v was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Authorization Bypass in KILL Statement Allows Termination of Other Users' Live Queries Moderate
GHSA-gcwr-5mrf-fvch was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan
SurrealDB has an Authorization Bypass via Composite Record-id Paths Moderate
GHSA-6vg3-hgrw-p5gf was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions Moderate
GHSA-vjjx-rfw4-rmfc was published for surrealdb (Rust) Jul 1, 2026
SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level Moderate
GHSA-98fx-66cf-fc7c was published for surrealdb (Rust) Jul 1, 2026
LucyEgan Credited to LucyEgan
SurrealDB vulnerable to Denial of Service due to nested types annotations Moderate
GHSA-q8qp-67f9-wr3f was published for surrealdb (Rust) Jul 1, 2026
DarkaMaul Credited to DarkaMaul
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call High
GHSA-wjjj-24cx-f28g was published for surrealdb (Rust) Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects High
GHSA-q729-696q-g9pq was published for surrealdb (Rust) Jul 1, 2026
DarkaMaul Credited to DarkaMaul
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation High
GHSA-4vgr-h27g-cf9p was published for surrealdb (Rust) Jul 1, 2026
addcontent Credited to addcontent
addcontent Credited to addcontent
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced High
CVE-2026-48815 was published for sigstore (npm) Jul 1, 2026
Jvr2022 Credited to Jvr2022, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
sigstore-js has Insufficient Verification of Data Authenticity Moderate
CVE-2026-48816 was published for @sigstore/verify (npm) Jul 1, 2026
1seal Credited to 1seal, Str1ckl4nd, and Zyy0530 Str1ckl4nd Str1ckl4nd
Zyy0530 Zyy0530
CrateDB's Blob HTTP handler bypasses authorization Low
CVE-2026-49989 was published for io.crate:crate (Maven) Jul 1, 2026
fab1ano Credited to fab1ano and matriv matriv matriv
Kimai Password Reset Link Remains Valid After Password Change Low
GHSA-m492-gv72-xvxj was published for kimai/kimai (Composer) Jul 1, 2026
AzureADTrent Credited to AzureADTrent
repomix: attach_packed_output can bypass file-read secret scanning for supported local files Moderate
CVE-2026-49988 was published for repomix (npm) Jul 1, 2026
dodge1218 Credited to dodge1218
Concourse login flow has an open redirect issue Low
CVE-2026-49826 was published for github.com/concourse/concourse (Go) Jul 1, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
ProTip! Advisories are also available from the GraphQL API