GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,199
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,441
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32,719 advisories
Filter by severity
SurrealDB: Field-level SELECT permissions bypassed via indexed COUNT fast paths
Moderate
GHSA-c8jx-96c9-8xrp
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization
Moderate
GHSA-wp87-mgvq-5j93
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirect
Moderate
GHSA-97vg-427p-8hx5
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptions
Moderate
GHSA-6wqw-vhfr-9999
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: `RELATE` overwrites existing edge records without `UPDATE` permission
Moderate
GHSA-f82j-v89j-mf86
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has bypass of field-level SELECT permissions through JSON Patch `copy` and `move` with empty `from`
Moderate
GHSA-fpxg-5xmv-922m
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages
Moderate
GHSA-6g9v-7gq3-p2c6
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls
Moderate
GHSA-4m82-p8cx-f94j
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB vulnerable to pre-auth memory amplification via unbounded `/sql` WebSocket frames
Moderate
GHSA-65rj-r9fh-jp2v
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Authorization Bypass in KILL Statement Allows Termination of Other Users' Live Queries
Moderate
GHSA-gcwr-5mrf-fvch
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required
Moderate
GHSA-4v76-cw68-4vc9
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has an Authorization Bypass via Composite Record-id Paths
Moderate
GHSA-6vg3-hgrw-p5gf
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Graph traversal bypasses table SELECT permissions
Moderate
GHSA-vjjx-rfw4-rmfc
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level
Moderate
GHSA-98fx-66cf-fc7c
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB vulnerable to Denial of Service due to nested types annotations
Moderate
GHSA-q8qp-67f9-wr3f
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
High
GHSA-wjjj-24cx-f28g
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects
High
GHSA-q729-696q-g9pq
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation
High
GHSA-4vgr-h27g-cf9p
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
High
GHSA-5qfp-32cf-69jh
was published
for
surrealdb
(Rust)
Jul 1, 2026
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
High
CVE-2026-48815
was published
for
sigstore
(npm)
Jul 1, 2026
sigstore-js has Insufficient Verification of Data Authenticity
Moderate
CVE-2026-48816
was published
for
@sigstore/verify
(npm)
Jul 1, 2026
CrateDB's Blob HTTP handler bypasses authorization
Low
CVE-2026-49989
was published
for
io.crate:crate
(Maven)
Jul 1, 2026
Kimai Password Reset Link Remains Valid After Password Change
Low
GHSA-m492-gv72-xvxj
was published
for
kimai/kimai
(Composer)
Jul 1, 2026
repomix: attach_packed_output can bypass file-read secret scanning for supported local files
Moderate
CVE-2026-49988
was published
for
repomix
(npm)
Jul 1, 2026
Concourse login flow has an open redirect issue
Low
CVE-2026-49826
was published
for
github.com/concourse/concourse
(Go)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API