Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,746 advisories

Loading
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host Moderate
CVE-2026-47268 was published for github.com/nezhahq/nezha (Go) May 29, 2026
sondt99 Credited to sondt99
go-git: Malformed Git object data may cause panics or resource exhaustion Moderate
GHSA-w5pp-99ch-qj29 was published for github.com/go-git/go-git/v5 (Go) May 29, 2026
hiddeco Credited to hiddeco, N0zoM1z0, AyushParkara, and kodareef5 N0zoM1z0 N0zoM1z0
AyushParkara AyushParkara kodareef5 kodareef5
CAPM3 vulnerable to Cross-Namespace resource access Moderate
GHSA-rf84-wr5g-m3rp was published for github.com/metal3-io/cluster-api-provider-metal3 (Go) May 29, 2026
IPAM controller service account granted unnecessary full access to Secrets Moderate
CVE-2026-47190 was published for github.com/metal3-io/ip-address-manager (Go) May 29, 2026
Ironic Standalone Operator's controller modifies user-owned resources without consent Moderate
GHSA-hfc8-w5f4-3x6m was published for github.com/metal3-io/ironic-standalone-operator (Go) May 29, 2026
Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces Moderate
GHSA-7cwm-fpfh-rrch was published for github.com/metal3-io/ironic-standalone-operator (Go) May 29, 2026
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens Moderate
CVE-2026-46405 was published for github.com/openbao/openbao (Go) May 28, 2026
OpenBao's Inline Auth Incorrectly Redacted Headers Moderate
CVE-2026-46358 was published for github.com/openbao/openbao (Go) May 28, 2026
jackyliao123 Credited to jackyliao123
opentelemetry-go's baggage parsing no longer caps raw header length Moderate
CVE-2026-41178 was published for go.opentelemetry.io/otel/baggage (Go) May 28, 2026
pellared Credited to pellared and XSAM XSAM XSAM
Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability Moderate
CVE-2026-22872 was published for github.com/projectcapsule/capsule (Go) May 28, 2026
b0b0haha Credited to b0b0haha
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression Moderate
CVE-2026-44981 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
davide-s-rosa Credited to davide-s-rosa
Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations Moderate
CVE-2026-44210 was published for github.com/kata-containers/kata-containers (Go) May 26, 2026
K-Rintaro Credited to K-Rintaro and fidencio fidencio fidencio
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables Moderate
CVE-2026-46618 was published for github.com/fission/fission (Go) May 21, 2026
b0b0haha Credited to b0b0haha, j311yl0v3u, and sanketsudake j311yl0v3u j311yl0v3u
sanketsudake sanketsudake
Klever-Go KVM read-only execution can commit contract delete and upgrade side effects Moderate
CVE-2026-46403 was published for github.com/klever-io/klever-go (Go) May 21, 2026
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: * Moderate
CVE-2026-46431 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS Moderate
CVE-2026-46430 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint Moderate
CVE-2026-45796 was published for github.com/coder/coder (Go) May 19, 2026
bencalif Credited to bencalif
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching Moderate
GHSA-gx7w-56w6-g48x was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Caddy CVE-2026-30852 Fix Bypass Moderate
GHSA-wwhq-w58m-w29c was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
everping Credited to everping
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation Moderate
GHSA-m23h-6mwm-39m8 was published for github.com/kong/kubernetes-ingress-controller (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Kong Ingress Controller for Kubernetes (KIC): Secret-backed plugin configurations leak through non-sensitive diagnostics endpoint Moderate
GHSA-3278-c88v-xrh4 was published for github.com/kong/kubernetes-ingress-controller (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Envoy AI Proxy - MCP Message Smuggling Vulnerability Moderate
GHSA-4gph-2hhr-5mwg was published for github.com/envoyproxy/ai-gateway (Go) May 19, 2026
anaximand3r Credited to anaximand3r
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations Moderate
CVE-2026-45737 was published for github.com/argoproj/argo-cd/v3 (Go) May 19, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database