Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,746 advisories

Loading
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk Moderate
CVE-2026-45147 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false Moderate
CVE-2026-44774 was published for github.com/traefik/traefik (Go) May 13, 2026
tamemghq Credited to tamemghq
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion Moderate
CVE-2026-44740 was published for github.com/go-git/go-billy/v5 (Go) May 13, 2026
faran66 Credited to faran66
HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack Moderate
CVE-2026-8052 was published for github.com/hashicorp/nomad-driver-exec2 (Go) May 12, 2026
HashiCorp Nomad vulnerable to symlink attack Moderate
CVE-2026-6959 was published for github.com/hashicorp/nomad (Go) May 12, 2026
Crabbox contains a path traversal vulnerability in the Islo provider's workspace path resolution Moderate
CVE-2026-45224 was published for github.com/openclaw/crabbox (Go) May 11, 2026
Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content Moderate
CVE-2026-45046 was published for github.com/safedep/gryph (Go) May 11, 2026
dodge1218 Credited to dodge1218
Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest Moderate
CVE-2026-44475 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, bradypus404, and ICSR-KMU bradypus404 bradypus404
ICSR-KMU ICSR-KMU
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request) Moderate
CVE-2026-44324 was published for github.com/free5gc/udr (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference) Moderate
CVE-2026-44323 was published for github.com/free5gc/udr (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions Moderate
CVE-2026-44318 was published for github.com/free5gc/bsf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference Moderate
CVE-2026-44317 was published for github.com/free5gc/pcf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits Moderate
CVE-2026-44309 was published for github.com/sigstore/gitsign (Go) May 8, 2026
bugbunny-research Credited to bugbunny-research
in-toto-golang and in-toto-python have inconsistent negation behavior Moderate
GHSA-pmwq-pjrm-6p5r was published for github.com/in-toto/in-toto-golang (Go) May 8, 2026
1seal Credited to 1seal
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers Moderate
CVE-2026-44310 was published for github.com/sigstore/gitsign (Go) May 8, 2026
bugbunny-research Credited to bugbunny-research
ExternalSecrets vulnerable to privilege escalation with secret overwriting Moderate
CVE-2026-42876 was published for github.com/external-secrets/external-secrets/apis (Go) May 8, 2026
factory-nizar Credited to factory-nizar and factory-kirk factory-kirk factory-kirk
MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist Moderate
CVE-2026-44430 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
matte1782 Credited to matte1782 and rdimitrov rdimitrov rdimitrov
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` Moderate
CVE-2026-44429 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
JosephDoUrden Credited to JosephDoUrden and rdimitrov rdimitrov rdimitrov
MCP Registry has open redirect via protocol-relative path in trailing-slash middleware Moderate
CVE-2026-44427 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
gujasec Credited to gujasec and rdimitrov rdimitrov rdimitrov
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count Moderate
GHSA-pj6q-4vq4-r8cg was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation Moderate
GHSA-rgj7-vg8v-j4wr was published for github.com/lin-snow/ech0 (Go) May 7, 2026
VashuVats Credited to VashuVats
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers Moderate
GHSA-3v85-fqvh-7rxf was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Ech0 comment model's Email field returned on public /api/comments endpoints Moderate
GHSA-rj4g-rqgh-rx9h was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
gittuf's policy can be rolled back to prior valid versions Moderate
CVE-2026-44544 was published for github.com/gittuf/gittuf (Go) May 7, 2026
andrew Credited to andrew
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database