Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,092 advisories

Loading
containerd CRI checkpoint restore CDI annotation smuggling High
CVE-2026-53492 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
robertprast Credited to robertprast
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore High
CVE-2026-53489 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
gouldnicholas Credited to gouldnicholas, davidrxchester, sangwon090, robertprast, and Plucky923 davidrxchester davidrxchester
sangwon090 sangwon090 robertprast robertprast Plucky923 Plucky923
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull High
CVE-2026-53488 was published for github.com/containerd/containerd (Go) Jun 19, 2026
robertprast Credited to robertprast
containerd: CRI checkpoint import allows local image tag poisoning Moderate
CVE-2026-50195 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
hbeberman Credited to hbeberman and robertprast robertprast robertprast
containerd image-triggered runtime DoS via unbounded group parsing Moderate
CVE-2026-47262 was published for github.com/containerd/containerd (Go) Jun 19, 2026
jake-ciolek Credited to jake-ciolek and kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob
Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF) High
GHSA-r46f-3rpw-hxrv was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
Hugo: Symlink confinement bypass in os.ReadFile Moderate
GHSA-c3wq-j5vh-68rc was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
Hugo: XSS via unescaped code-fence language in default code block renderer Moderate
GHSA-q76j-gcg9-vxc6 was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
k0ngj1 Credited to k0ngj1
OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL High
GHSA-q7j3-v8qv-22vq was published for github.com/opentofu/opentofu (Go) Jun 19, 2026
Entire CLI: Path traversal in checkpoint session metadata allows arbitrary file write during resume/rewind Moderate
GHSA-2h46-9x5w-4wf7 was published for github.com/entireio/cli (Go) Jun 19, 2026
nskath Credited to nskath
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset Moderate
CVE-2026-55689 was published for github.com/openfga/openfga (Go) Jun 19, 2026
0xVijay Credited to 0xVijay
Tilt: Missing authentication on the network-exposed Tilt HUD server Critical
CVE-2026-55884 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream High
CVE-2026-55883 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server High
CVE-2026-55882 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Canonical MicroCeph: path traversal issue in the remote-import AP Moderate
CVE-2026-10720 was published for github.com/canonical/microceph/microceph (Go) Jun 19, 2026
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape Moderate
CVE-2026-54319 was published for github.com/daytonaio/daytona (Go) Jun 18, 2026
vnth4nhnt Credited to vnth4nhnt
MCP Toolbox for Databases: authenticated authorization bypass High
CVE-2026-11719 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) Critical
CVE-2026-11717 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) Critical
CVE-2026-11718 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
OpenFGA Improper Policy Enforcement Low
CVE-2026-55170 was published for github.com/openfga/openfga (Go) Jun 18, 2026
sahajamoth Credited to sahajamoth
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication Moderate
CVE-2026-55701 was published for github.com/open-telemetry/opentelemetry-collector-contrib/receiver/githubreceiver (Go) Jun 18, 2026
kodareef5 Credited to kodareef5
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token Moderate
CVE-2026-47256 was published for github.com/open-telemetry/opentelemetry-collector-contrib/exporter/sentryexporter (Go) Jun 18, 2026
brodmart Credited to brodmart
Podman: WORKDIR symlink traversal vulnerability Moderate
CVE-2026-55686 was published for github.com/containers/podman/v3 (Go) Jun 18, 2026
eriksjolund Credited to eriksjolund
Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode High
GHSA-4jgr-pg2m-m988 was published for github.com/dadrus/heimdall (Go) Jun 18, 2026
tikket1 Credited to tikket1
Heimdall: IP Spoofing via Unvalidated Forwarding Headers High
GHSA-38x9-25wx-7fg2 was published for https://github.com/dadrus/heimdall (Go) Jun 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database