Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,518 advisories

Loading
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers High
CVE-2026-8621 was published for github.com/openclaw/crabbox (Go) May 14, 2026
go-billy has path traversal vulnerabilities High
CVE-2026-44973 was published for github.com/go-git/go-billy/v5 (Go) May 14, 2026
faran66 Credited to faran66 and vnykmshr vnykmshr vnykmshr
Portainer: JWT accepted in URL query leaks tokens to logs and referers High
CVE-2026-44883 was published for github.com/portainer/portainer (Go) May 14, 2026
scanpwn Credited to scanpwn
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization High
CVE-2026-44882 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
Portainer has a bind-mount restriction bypass via HostConfig.Mounts High
CVE-2026-44850 was published for github.com/portainer/portainer (Go) May 14, 2026
offensiveee Credited to offensiveee, alexwaira, Proscan-one, jeroengui, AyushParkara, and marduc812 alexwaira alexwaira
Proscan-one Proscan-one jeroengui jeroengui AyushParkara AyushParkara marduc812 marduc812
Fleet server may terminate unexpectedly when handling certain gRPC requests High
CVE-2026-26062 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass High
CVE-2026-24899 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
Fleet has a Windows MDM management endpoint authentication bypass High
CVE-2026-23998 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution High
CVE-2026-45152 was published for gitlab.com/uniget-org/cli (Go) May 13, 2026
0x5t4l1n Credited to 0x5t4l1n
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload High
CVE-2026-44697 was published for github.com/klever-io/klever-go (Go) May 13, 2026
fbsobreira Credited to fbsobreira
esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files High
CVE-2026-44594 was published for github.com/esm-dev/esm.sh (Go) May 12, 2026
donttrytofindme Credited to donttrytofindme
esm.sh: Legacy Route Path Traversal Can Lead to RCE High
CVE-2026-44593 was published for github.com/esm-dev/esm.sh (Go) May 12, 2026
splitline Credited to splitline
HashiCorp Nomad vulnerable to a path traversal High
CVE-2026-7474 was published for github.com/hashicorp/nomad (Go) May 12, 2026
Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode) High
CVE-2026-45090 was published for github.com/hahwul/dalfox (Go) May 12, 2026
bugbunny-research Credited to bugbunny-research
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` High
CVE-2026-45088 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding High
CVE-2026-45047 was published for github.com/xddxdd/bird-lg-go (Go) May 11, 2026
9Bakabaka Credited to 9Bakabaka
Local Path Provisioner Vulnerable to HelperPod Template Injection High
CVE-2026-44543 was published for github.com/rancher/local-path-provisioner (Go) May 11, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse High
CVE-2026-44473 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git High
CVE-2026-45022 was published for github.com/go-git/go-git/v5 (Go) May 11, 2026
adityasaky Credited to adityasaky, wlynch, patzielinski, bugbunny-research, and wayphinder wlynch wlynch
patzielinski patzielinski bugbunny-research bugbunny-research wayphinder wayphinder
Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication High
CVE-2026-44985 was published for github.com/amir20/dozzle (Go) May 11, 2026
q1uf3ng Credited to q1uf3ng
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass High
CVE-2026-42595 was published for github.com/gotenberg/gotenberg/v8 (Go) May 11, 2026
AyushParkara Credited to AyushParkara
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database