GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
119 advisories
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
Moderate
CVE-2026-47767
was published
for
symfony/runtime
(Composer)
Jun 9, 2026
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
High
CVE-2026-44974
was published
for
@hapi/content
(npm)
May 27, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
High
CVE-2026-6322
was published
for
fast-uri
(npm)
May 8, 2026
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass
High
CVE-2026-42551
was published
for
flightphp/core
(Composer)
May 6, 2026
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Moderate
CVE-2026-30246
was published
for
github.com/gofiber/fiber/v3
(Go)
Apr 28, 2026
justhtml has sanitization bypass in custom policies and programmatic DOM
Moderate
GHSA-vrx2-77f2-ww34
was published
for
justhtml
(pip)
Apr 22, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
High
CVE-2026-33804
was published
for
@fastify/middie
(npm)
Apr 16, 2026
Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Critical
CVE-2026-41248
was published
for
@clerk/astro
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Multiple security fixes in justhtml
Low
GHSA-4p64-v8f5-r2gx
was published
for
justhtml
(pip)
Apr 14, 2026
Parse Server: File upload Content-Type override via extension mismatch
Low
CVE-2026-35200
was published
for
parse-server
(npm)
Apr 4, 2026
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
Low
CVE-2026-41388
was published
for
openclaw
(npm)
Apr 3, 2026
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Moderate
CVE-2026-32762
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Moderate
CVE-2026-26961
was published
for
rack
(RubyGems)
Apr 2, 2026
ProTip!
Advisories are also available from the
GraphQL API