Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,087
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,087 advisories

Loading
nebula-mesh's stores enrollment tokens unhashed in SQLite Moderate
GHSA-ghmh-jhmj-wcmf was published for github.com/juev/nebula-mesh (Go) Jun 22, 2026
ak2k Credited to ak2k
Gogs has SSRF in webhook deliveries Moderate
CVE-2026-47267 was published for gogs.io/gogs (Go) Jun 22, 2026
snyff Credited to snyff
Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected) Low
CVE-2026-44778 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Jun 22, 2026
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive Moderate
CVE-2026-44517 was published for github.com/containers/buildah (Go) Jun 22, 2026
eriksjolund Credited to eriksjolund
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers High
CVE-2026-25119 was published for gogs.io/gogs (Go) Jun 22, 2026
tenbbughunters Credited to tenbbughunters
Gogs has a Denial of Service in repository/wiki file listing web pages Moderate
CVE-2025-64719 was published for gogs.io/gogs (Go) Jun 22, 2026
0xless Credited to 0xless
Gogs: XSS in .ipynb files renderer due to outdated notebookjs High
GHSA-6vxv-wg6j-5qwp was published for gogs.io/gogs (Go) Jun 19, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected Low
CVE-2026-55866 was published for github.com/authzed/spicedb (Go) Jun 19, 2026
miparnisari Credited to miparnisari
OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types Moderate
CVE-2026-55776 was published for github.com/openbao/openbao (Go) Jun 19, 2026
SahilKumar000 Credited to SahilKumar000
OpenBao's System Backend allows Unauthorized Management of the containing Namespace Low
CVE-2026-55775 was published for github.com/openbao/openbao (Go) Jun 19, 2026
satoqz Credited to satoqz
OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808 Low
CVE-2026-55774 was published for github.com/openbao/openbao (Go) Jun 19, 2026
anir0y Credited to anir0y and 5ud0er 5ud0er 5ud0er
OpenBao: LDAPi ldaputil (wrong escape func) Moderate
CVE-2026-55770 was published for github.com/openbao/openbao (Go) Jun 19, 2026
alcls01111 Credited to alcls01111
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms Moderate
CVE-2026-55187 was published for github.com/axllent/mailpit (Go) Jun 19, 2026
JLLeitschuh Credited to JLLeitschuh
Open Redirect Bypass in miniflux-v2 Moderate
CVE-2026-55185 was published for miniflux.app/v2 (Go) Jun 19, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails Moderate
CVE-2026-54762 was published for github.com/traefik/traefik/v3 (Go) Jun 19, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination) Moderate
CVE-2026-55828 was published for go.qbee.io/transport (Go) Jun 19, 2026
ttzero25 Credited to ttzero25
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName Moderate
CVE-2026-11769 was published for github.com/grafana/grafana-operator (Go) Jun 19, 2026
cherez0ff Credited to cherez0ff
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag Critical
GHSA-wfqx-gjrf-g28r was published for github.com/crossplane/crossplane (Go) Jun 19, 2026
bugbunny-research Credited to bugbunny-research and tonghuaroot tonghuaroot tonghuaroot
Blocky DNSSEC validation bypass and validation-cache scope pollution High
GHSA-x845-2f78-7v36 was published for github.com/0xERR0R/blocky (Go) Jun 19, 2026
RealHurrison Credited to RealHurrison
containerd CRI checkpoint restore CDI annotation smuggling High
CVE-2026-53492 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
robertprast Credited to robertprast
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore High
CVE-2026-53489 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
gouldnicholas Credited to gouldnicholas, davidrxchester, sangwon090, robertprast, and Plucky923 davidrxchester davidrxchester
sangwon090 sangwon090 robertprast robertprast Plucky923 Plucky923
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull High
CVE-2026-53488 was published for github.com/containerd/containerd (Go) Jun 19, 2026
robertprast Credited to robertprast
containerd: CRI checkpoint import allows local image tag poisoning Moderate
CVE-2026-50195 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
hbeberman Credited to hbeberman and robertprast robertprast robertprast
containerd image-triggered runtime DoS via unbounded group parsing Moderate
CVE-2026-47262 was published for github.com/containerd/containerd (Go) Jun 19, 2026
jake-ciolek Credited to jake-ciolek and kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database