Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

318 advisories

Loading
Gogs has DoS in rendering issue index pattern Low
CVE-2026-52796 was published for gogs.io/gogs (Go) Jun 22, 2026
BaiMeow Credited to BaiMeow
Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected) Low
CVE-2026-44778 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Jun 22, 2026
SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected Low
CVE-2026-55866 was published for github.com/authzed/spicedb (Go) Jun 19, 2026
miparnisari Credited to miparnisari
OpenBao's System Backend allows Unauthorized Management of the containing Namespace Low
CVE-2026-55775 was published for github.com/openbao/openbao (Go) Jun 19, 2026
satoqz Credited to satoqz
OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808 Low
CVE-2026-55774 was published for github.com/openbao/openbao (Go) Jun 19, 2026
anir0y Credited to anir0y and 5ud0er 5ud0er 5ud0er
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
OpenFGA Improper Policy Enforcement Low
CVE-2026-55170 was published for github.com/openfga/openfga (Go) Jun 18, 2026
sahajamoth Credited to sahajamoth
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers Low
CVE-2026-55670 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
livio-a Credited to livio-a and emgrav emgrav emgrav
nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store Low
GHSA-6vgg-xhvh-38ff was published for github.com/juev/nebula-mesh (Go) Jun 12, 2026
ak2k Credited to ak2k
SpiceDB: Caveat structures with nested lists can result in improper cache reuse Low
CVE-2026-46668 was published for github.com/authzed/spicedb (Go) May 21, 2026
opentelemetry-go's Schema ParseFile leaks file descriptors on each parse Low
CVE-2026-45287 was published for go.opentelemetry.io/otel/schema/v1.0 (Go) May 28, 2026
pellared Credited to pellared and MrAlias MrAlias MrAlias
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Potential proxy IP restriction bypass in Kubernetes Low
CVE-2020-8562 was published for k8s.io/kubernetes (Go) Feb 2, 2022
enj Credited to enj
Confused Deputy in Kubernetes Low
CVE-2021-25740 was published for k8s.io/kubernetes (Go) Sep 21, 2021
Capsule Namespace Hijacking via subresource Low
CVE-2026-30963 was published for github.com/projectcapsule/capsule (Go) May 28, 2026
xy585 Credited to xy585
Ella Core has handover failures during concurrent Security Mode Command Low
CVE-2026-44474 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover Low
CVE-2026-42082 was published for github.com/free5gc/amf (Go) May 7, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
go-git: Improper single-quote escaping in go-git SSH transport Low
CVE-2026-45570 was published for github.com/go-git/go-git (Go) May 19, 2026
N0zoM1z0 Credited to N0zoM1z0 and hiddeco hiddeco hiddeco
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic Low
CVE-2026-45723 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Low
CVE-2026-4273 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command Low
CVE-2026-6333 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't check if {{team_id}} was being changed when updating playbooks Low
CVE-2026-4286 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow Low
CVE-2026-6334 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't escape some variables that could contain malicious content during error page composition Low
CVE-2026-3495 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database