Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,092 advisories

Loading
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider Moderate
CVE-2026-55669 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, IAM-marco, livio-a, and Punisher100 IAM-marco IAM-marco
livio-a livio-a Punisher100 Punisher100
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider Moderate
GHSA-wxg7-w2v3-w38g was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, livio-a, and IAM-marco livio-a livio-a
IAM-marco IAM-marco
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation) High
CVE-2026-55672 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
kodareef5 Credited to kodareef5, grvijayan, IAM-marco, livio-a, cipher-creator, and N008x grvijayan grvijayan
IAM-marco IAM-marco livio-a livio-a cipher-creator cipher-creator N008x N008x
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers Low
CVE-2026-55670 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
livio-a Credited to livio-a and emgrav emgrav emgrav
Docker MCP Gateway: Argument injection via OCI image label YAML High
CVE-2026-55887 was published for github.com/docker/mcp-gateway (Go) Jun 18, 2026
Gotenberg: SSRF via LibreOffice document processing High
CVE-2026-55229 was published for github.com/gotenberg/gotenberg/v8 (Go) Jun 18, 2026
basikCc Credited to basikCc
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected Moderate
CVE-2026-55636 was published for github.com/projectcapsule/capsule (Go) Jun 17, 2026
character-s Credited to character-s
Gitea: Open Redirect via redirect_to Moderate
CVE-2026-25779 was published for github.com/go-gitea/gitea (Go) Jun 17, 2026
quirmz Credited to quirmz
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer High
CVE-2026-28737 was published for code.gitea.io/gitea (Go) Jun 17, 2026
yonatan-pl Credited to yonatan-pl
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes High
CVE-2026-24791 was published for code.gitea.io/gitea (Go) Jun 17, 2026
kamil-sawicki Credited to kamil-sawicki
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration High
CVE-2026-22555 was published for code.gitea.io/gitea (Go) Jun 17, 2026
andrejtomci Credited to andrejtomci
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join Moderate
CVE-2026-54324 was published for github.com/daytonaio/daytona (Go) Jun 17, 2026
vnth4nhnt Credited to vnth4nhnt
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Gitea: Token scope bypass on web archive download endpoint Moderate
CVE-2026-20706 was published for code.gitea.io/gitea (Go) Jun 16, 2026
geoo115 Credited to geoo115
Gitea: Missing repository-unit authorization on issue-template API endpoints Moderate
CVE-2026-27783 was published for code.gitea.io/gitea (Go) Jun 16, 2026
hoangperry Credited to hoangperry
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw Moderate
CVE-2026-25714 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Medoedus Credited to Medoedus
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
Gogs: Overwriting critical files results in a denial of service High
CVE-2026-52797 was published for gogs.io/gogs (Go) Jun 16, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix Critical
CVE-2026-49980 was published for github.com/rclone/rclone (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki and ncw ncw ncw
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens High
CVE-2026-28744 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ohxorud-dev Credited to ohxorud-dev and lunny lunny lunny
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles High
CVE-2026-54322 was published for github.com/daytonaio/daytona (Go) Jun 16, 2026
vnth4nhnt Credited to vnth4nhnt and mrknight-n1du mrknight-n1du mrknight-n1du
Caddy: stripHTML template function bypass Moderate
CVE-2026-52846 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
jmrcsnchz Credited to jmrcsnchz
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database