Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,450 advisories

Loading
authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user High
CVE-2026-47201 was published for goauthentik.io (Go) May 29, 2026
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling High
CVE-2026-45742 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
uokik Credited to uokik
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename High
CVE-2026-44829 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands High
CVE-2026-48501 was published for github.com/cli/cli/v2 (Go) May 29, 2026
BagToad Credited to BagToad, kommendorkapten, and babakks kommendorkapten kommendorkapten
babakks babakks
Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives High
CVE-2026-47179 was published for github.com/getarcaneapp/arcane/backend (Go) May 28, 2026
offset Credited to offset
OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL High
CVE-2026-45808 was published for github.com/openbao/openbao (Go) May 28, 2026
fg0x0 Credited to fg0x0
Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs High
CVE-2026-47243 was published for github.com/kata-containers/kata-containers (Go) May 27, 2026
JulesDT Credited to JulesDT, sprt, fidencio, and stevenhorsman sprt sprt
fidencio fidencio stevenhorsman stevenhorsman
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests High
CVE-2026-44982 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
mmarting Credited to mmarting
Arcane: Missing admin authorization on global variables endpoint High
CVE-2026-47125 was published for github.com/getarcaneapp/arcane/backend (Go) May 23, 2026
offset Credited to offset
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
containerd user ID handling bypass allows runAsNonRoot evasion High
CVE-2026-46680 was published for github.com/containerd/containerd (Go) May 21, 2026
ssst0n3 Credited to ssst0n3
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read High
CVE-2026-46617 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives High
CVE-2026-46612 was published for github.com/fission/fission (Go) May 21, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Caddy Defender trusted proxy client IP bypass High
CVE-2026-46415 was published for pkg.jsn.cam/caddy-defender (Go) May 19, 2026
JasonLovesDoggo Credited to JasonLovesDoggo
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal High
CVE-2026-46378 was published for github.com/tomwright/dasel/v3 (Go) May 19, 2026
kq5y Credited to kq5y
Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string High
CVE-2026-46377 was published for github.com/tomwright/dasel/v3 (Go) May 19, 2026
kq5y Credited to kq5y
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation High
CVE-2026-45738 was published for github.com/argoproj/argo-cd (Go) May 19, 2026
kah-ja Credited to kah-ja
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
zrok copy writes attacker-controlled WebDAV paths outside the destination root High
CVE-2026-45576 was published for github.com/openziti/zrok (Go) May 19, 2026
aisafe-bot Credited to aisafe-bot
Algernon: Single-file mode unconditionally enables debug mode High
CVE-2026-45728 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI High
CVE-2026-45686 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages High
CVE-2026-45685 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads High
CVE-2026-45678 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias, grcevski, and rafaelroquetto grcevski grcevski
rafaelroquetto rafaelroquetto
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database