Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,580
Maven
5,000+
npm
5,000+
NuGet
919
pip
4,817
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,316 advisories

Loading
SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) High
GHSA-hjh7-r5w8-5872 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 22, 2026
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service High
CVE-2026-41135 was published for github.com/free5gc/pcf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API High
CVE-2026-41422 was published for github.com/daptin/daptin (Go) Apr 22, 2026
VashuVats Credited to VashuVats
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and kodareef5 vdemeester vdemeester
kodareef5 kodareef5
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL High
CVE-2026-40161 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5 and vdemeester vdemeester vdemeester
Neko has a Self-service Privilege Escalation for Authenticated Users High
CVE-2026-39386 was published for github.com/m1k1o/neko/server (Go) Apr 21, 2026
blitzkrieg-patch Credited to blitzkrieg-patch
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens High
CVE-2026-33031 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
jaehonam Credited to jaehonam
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR High
GHSA-8gmg-3w2q-65f4 was published for go.opentelemetry.io/obi (Go) Apr 17, 2026
MrAlias Credited to MrAlias and arminru arminru arminru
Dapr: Service Invocation path traversal ACL bypass High
GHSA-85gx-3qv6-4463 was published for github.com/dapr/dapr (Go) Apr 17, 2026
JoshVanL Credited to JoshVanL, cicoyle, and acroca cicoyle cicoyle
acroca acroca
HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations High
CVE-2026-5807 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization High
CVE-2026-4525 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service High
CVE-2026-3605 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak) High
GHSA-8wfp-579w-6r25 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
scumfrog Credited to scumfrog
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
GHSA-f9g8-6ppc-pqq4 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix) High
GHSA-cvq5-hhx3-f99p was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
jrey8343 Credited to jrey8343
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider High
CVE-2026-40611 was published for github.com/go-acme/lego (Go) Apr 16, 2026
RealHurrison Credited to RealHurrison
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing High
CVE-2026-40303 was published for github.com/openziti/zrok (Go) Apr 16, 2026
SpdyStream: DOS on CRI High
CVE-2026-35469 was published for github.com/moby/spdystream (Go) Apr 16, 2026
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex High
GHSA-pxq7-h93f-9jrg was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
rootxharsh Credited to rootxharsh
Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token High
CVE-2026-6290 was published for www.velocidex.com/golang/velociraptor (Go) Apr 15, 2026
NietThijmen ShoppingCart: Command injection in the connect function High
CVE-2024-53412 was published for github.com/NietThijmen/ShoppingCart (Go) Apr 15, 2026
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles High
GHSA-7jrq-q4pq-rhm6 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database