GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
32,304 advisories
Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection
High
CVE-2026-54329
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT has Improper Authorization in File Deletion (IDOR)
Low
CVE-2026-55519
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
Moderate
CVE-2026-55483
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
Moderate
CVE-2026-55482
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT has a 2FA reset privilege bypass
Moderate
CVE-2026-50550
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT Vulnerable to User Account Escalation via CSV Import
Moderate
CVE-2026-49976
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Flask-Security has an Open Redirect issue
Moderate
GHSA-w2j7-f3c6-g8cw
was published
for
Flask-Security
(pip)
Jun 23, 2026
Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`
Moderate
CVE-2026-49870
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
Moderate
CVE-2026-49205
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 23, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
High
CVE-2026-48507
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Filament: Unauthenticated temporary file upload on auth pages
Moderate
CVE-2026-48500
was published
for
filament/filament
(Composer)
Jun 23, 2026
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent
Moderate
CVE-2026-48496
was published
for
go.opentelemetry.io/ebpf-profiler
(Go)
Jun 23, 2026
Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Moderate
CVE-2026-48493
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT's selectlist visibility is too permissive
Moderate
CVE-2026-48492
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
Low
CVE-2026-48488
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 23, 2026
Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Moderate
CVE-2026-48167
was published
for
filament/infolists
(Composer)
Jun 23, 2026
Filament: Timing-based user enumeration on login page
Moderate
CVE-2026-48166
was published
for
filament/filament
(Composer)
Jun 23, 2026
Slim has Reflected XSS in the HtmlErrorRenderer
Moderate
CVE-2026-48157
was published
for
slim/slim
(Composer)
Jun 23, 2026
Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
High
CVE-2026-48126
was published
for
github.com/xyproto/algernon
(Go)
Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties
Moderate
CVE-2026-54517
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
Moderate
CVE-2026-54516
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Moderate
CVE-2026-54515
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
ProTip!
Advisories are also available from the
GraphQL API