Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

5 advisories

Loading
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, kodareef5, and waveywaves vdemeester vdemeester
kodareef5 kodareef5 waveywaves waveywaves
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and waveywaves vdemeester vdemeester
waveywaves waveywaves
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, aThorp96, and waveywaves vdemeester vdemeester
aThorp96 aThorp96 waveywaves waveywaves
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL High
CVE-2026-40161 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, stenzopolis1986-art, and waveywaves vdemeester vdemeester
stenzopolis1986-art stenzopolis1986-art waveywaves waveywaves
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, vdemeester, and waveywaves offset offset
vdemeester vdemeester waveywaves waveywaves
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database