Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,580
Maven
5,000+
npm
5,000+
NuGet
919
pip
4,817
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

386 advisories

Loading
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
GHSA-2hp7-65r3-wv54 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied and ncw ncw ncw
Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution Critical
CVE-2026-41176 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied and ncw ncw ncw
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access Critical
CVE-2026-41070 was published for github.com/jkroepke/openvpn-auth-oauth2 (Go) Apr 22, 2026
kkalev Credited to kkalev
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
GHSA-xjvp-7243-rg9h was published for charm.land/wish/v2 (Go) Apr 18, 2026
evnsh Credited to evnsh, andreynering, and aymanbagabas andreynering andreynering
aymanbagabas aymanbagabas
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass Critical
GHSA-6g38-8j4p-j3pr was published for github.com/nhost/nhost (Go) Apr 18, 2026
skoveit Credited to skoveit
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints Critical
CVE-2026-40173 was published for github.com/dgraph-io/dgraph (Go) Apr 16, 2026
komi22 Credited to komi22
Exposure of Storage Secret in Pyroscope Critical
CVE-2025-41118 was published for github.com/grafana/pyroscope (Go) Apr 15, 2026
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Oxia has an OIDC token audience validation bypass via SkipClientIDCheck Critical
GHSA-fhvp-9hcj-6m33 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode Critical
CVE-2026-34457 was published for github.com/oauth2-proxy/oauth2-proxy (Go) Apr 14, 2026
iamnoooob Credited to iamnoooob
goshs has an empty-username SFTP password authentication bypass Critical
CVE-2026-40884 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
Daptin has Unauthenticated Path Traversal and Zip Slip Critical
GHSA-9cp7-j3f8-p5jx was published for github.com/daptin/daptin (Go) Apr 10, 2026
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
goshs has a file-based ACL authorization bypass in goshs state-changing routes Critical
CVE-2026-40189 was published for github.com/patrickhener/goshs (Go) Apr 10, 2026
R1ZZG0D Credited to R1ZZG0D
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
LXD: Importing a crafted backup leads to project restriction bypass Critical
CVE-2026-34178 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin Critical
CVE-2026-34179 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions Critical
CVE-2026-39846 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 8, 2026
ngocnn97 Credited to ngocnn97
Memory-safety vulnerability in github.com/jackc/pgx/v5. Critical
CVE-2026-33816 was published for github.com/jackc/pgx/v5 (Go) Apr 7, 2026
pgx contains memory-safety vulnerability Critical
CVE-2026-33815 was published for github.com/jackc/pgx/v5/pgproto3 (Go) Apr 7, 2026
mitar Credited to mitar
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Critical
CVE-2026-35471 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload Critical
CVE-2026-35393 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload Critical
CVE-2026-35392 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization Critical
CVE-2026-34976 was published for github.com/dgraph-io/dgraph (Go) Apr 2, 2026
kodareef5 Credited to kodareef5
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database