Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,518 advisories

Loading
Gogs has the ability to import local repositories via Mirror Settings High
CVE-2026-52801 was published for gogs.io/gogs (Go) Jun 23, 2026
KKC73 Credited to KKC73
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover High
CVE-2026-52800 was published for gogs.io/gogs (Go) Jun 23, 2026
odgrso Credited to odgrso
Gogs Missing Authorization in Attachment Download High
CVE-2026-52799 was published for gogs.io/gogs (Go) Jun 22, 2026
odgrso Credited to odgrso
Gogs has Stored XSS in `.ipynb` Preview High
CVE-2026-52798 was published for gogs.io/gogs (Go) Jun 22, 2026
odgrso Credited to odgrso
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers High
CVE-2026-25119 was published for gogs.io/gogs (Go) Jun 22, 2026
tenbbughunters Credited to tenbbughunters
Gogs: XSS in .ipynb files renderer due to outdated notebookjs High
GHSA-6vxv-wg6j-5qwp was published for gogs.io/gogs (Go) Jun 19, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
Blocky DNSSEC validation bypass and validation-cache scope pollution High
GHSA-x845-2f78-7v36 was published for github.com/0xERR0R/blocky (Go) Jun 19, 2026
RealHurrison Credited to RealHurrison
containerd CRI checkpoint restore CDI annotation smuggling High
CVE-2026-53492 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
robertprast Credited to robertprast
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore High
CVE-2026-53489 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
gouldnicholas Credited to gouldnicholas, davidrxchester, sangwon090, robertprast, and Plucky923 davidrxchester davidrxchester
sangwon090 sangwon090 robertprast robertprast Plucky923 Plucky923
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull High
CVE-2026-53488 was published for github.com/containerd/containerd (Go) Jun 19, 2026
robertprast Credited to robertprast
Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF) High
GHSA-r46f-3rpw-hxrv was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL High
GHSA-q7j3-v8qv-22vq was published for github.com/opentofu/opentofu (Go) Jun 19, 2026
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream High
CVE-2026-55883 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server High
CVE-2026-55882 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
MCP Toolbox for Databases: authenticated authorization bypass High
CVE-2026-11719 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode High
GHSA-4jgr-pg2m-m988 was published for github.com/dadrus/heimdall (Go) Jun 18, 2026
tikket1 Credited to tikket1
Heimdall: IP Spoofing via Unvalidated Forwarding Headers High
GHSA-38x9-25wx-7fg2 was published for https://github.com/dadrus/heimdall (Go) Jun 18, 2026
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation) High
CVE-2026-55672 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
kodareef5 Credited to kodareef5, grvijayan, IAM-marco, livio-a, cipher-creator, and N008x grvijayan grvijayan
IAM-marco IAM-marco livio-a livio-a cipher-creator cipher-creator N008x N008x
Docker MCP Gateway: Argument injection via OCI image label YAML High
CVE-2026-55887 was published for github.com/docker/mcp-gateway (Go) Jun 18, 2026
Gotenberg: SSRF via LibreOffice document processing High
CVE-2026-55229 was published for github.com/gotenberg/gotenberg/v8 (Go) Jun 18, 2026
basikCc Credited to basikCc
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer High
CVE-2026-28737 was published for code.gitea.io/gitea (Go) Jun 17, 2026
yonatan-pl Credited to yonatan-pl
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes High
CVE-2026-24791 was published for code.gitea.io/gitea (Go) Jun 17, 2026
kamil-sawicki Credited to kamil-sawicki
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration High
CVE-2026-22555 was published for code.gitea.io/gitea (Go) Jun 17, 2026
andrejtomci Credited to andrejtomci
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database