Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,473 advisories

Loading
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Critical
CVE-2026-54072 was published for github.com/authorizerdev/authorizer (Go) Jul 10, 2026
morimori-dev Credited to morimori-dev
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect Moderate
CVE-2026-55252 was published for github.com/openrundev/openrun (Go) Jul 9, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
Waku has an Open Redirect via `unstable_redirect` Helper Low
CVE-2026-49456 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp High
GHSA-86j7-9j95-vpqj was published for better-auth (npm) Jul 7, 2026
hillalee Credited to hillalee
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint Moderate
CVE-2026-54724 was published for kiwitcms (pip) Jul 6, 2026
martindios Credited to martindios
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps High
CVE-2026-55431 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation Moderate
CVE-2026-53935 was published for github.com/cilium/cilium (Go) Jul 6, 2026
A vulnerability was found in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to... Low Unreviewed
CVE-2026-14632 was published Jul 4, 2026
OpenClaw MCP SSE redirects could forward Authorization headers Moderate
GHSA-9c3v-684m-579c was published for openclaw (npm) Jul 1, 2026
dingliweixlm-byte Credited to dingliweixlm-byte
Concourse login flow has an open redirect issue Low
CVE-2026-49826 was published for github.com/concourse/concourse (Go) Jul 1, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
Probo has an open redirect bypass via path normalization Moderate
CVE-2026-49820 was published for go.probo.inc/probo (Go) Jun 30, 2026
Fushuling Credited to Fushuling
ProTip! Advisories are also available from the GraphQL API