Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,816 advisories

Loading
nebula-mesh's stores enrollment tokens unhashed in SQLite Moderate
GHSA-ghmh-jhmj-wcmf was published for github.com/juev/nebula-mesh (Go) Jun 22, 2026
ak2k Credited to ak2k
Gogs has SSRF in webhook deliveries Moderate
CVE-2026-47267 was published for gogs.io/gogs (Go) Jun 22, 2026
snyff Credited to snyff
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive Moderate
CVE-2026-44517 was published for github.com/containers/buildah (Go) Jun 22, 2026
eriksjolund Credited to eriksjolund
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
Gogs has a Denial of Service in repository/wiki file listing web pages Moderate
CVE-2025-64719 was published for gogs.io/gogs (Go) Jun 22, 2026
0xless Credited to 0xless
OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types Moderate
CVE-2026-55776 was published for github.com/openbao/openbao (Go) Jun 19, 2026
SahilKumar000 Credited to SahilKumar000
OpenBao: LDAPi ldaputil (wrong escape func) Moderate
CVE-2026-55770 was published for github.com/openbao/openbao (Go) Jun 19, 2026
alcls01111 Credited to alcls01111
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms Moderate
CVE-2026-55187 was published for github.com/axllent/mailpit (Go) Jun 19, 2026
JLLeitschuh Credited to JLLeitschuh
Open Redirect Bypass in miniflux-v2 Moderate
CVE-2026-55185 was published for miniflux.app/v2 (Go) Jun 19, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails Moderate
CVE-2026-54762 was published for github.com/traefik/traefik/v3 (Go) Jun 19, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination) Moderate
CVE-2026-55828 was published for go.qbee.io/transport (Go) Jun 19, 2026
ttzero25 Credited to ttzero25
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName Moderate
CVE-2026-11769 was published for github.com/grafana/grafana-operator (Go) Jun 19, 2026
cherez0ff Credited to cherez0ff
containerd: CRI checkpoint import allows local image tag poisoning Moderate
CVE-2026-50195 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
hbeberman Credited to hbeberman and robertprast robertprast robertprast
containerd image-triggered runtime DoS via unbounded group parsing Moderate
CVE-2026-47262 was published for github.com/containerd/containerd (Go) Jun 19, 2026
jake-ciolek Credited to jake-ciolek and kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob
Hugo: Symlink confinement bypass in os.ReadFile Moderate
GHSA-c3wq-j5vh-68rc was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
Hugo: XSS via unescaped code-fence language in default code block renderer Moderate
GHSA-q76j-gcg9-vxc6 was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
k0ngj1 Credited to k0ngj1
Entire CLI: Path traversal in checkpoint session metadata allows arbitrary file write during resume/rewind Moderate
GHSA-2h46-9x5w-4wf7 was published for github.com/entireio/cli (Go) Jun 19, 2026
nskath Credited to nskath
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset Moderate
CVE-2026-55689 was published for github.com/openfga/openfga (Go) Jun 19, 2026
0xVijay Credited to 0xVijay
Canonical MicroCeph: path traversal issue in the remote-import AP Moderate
CVE-2026-10720 was published for github.com/canonical/microceph/microceph (Go) Jun 19, 2026
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape Moderate
CVE-2026-54319 was published for github.com/daytonaio/daytona (Go) Jun 18, 2026
vnth4nhnt Credited to vnth4nhnt
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication Moderate
CVE-2026-55701 was published for github.com/open-telemetry/opentelemetry-collector-contrib/receiver/githubreceiver (Go) Jun 18, 2026
kodareef5 Credited to kodareef5
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token Moderate
CVE-2026-47256 was published for github.com/open-telemetry/opentelemetry-collector-contrib/exporter/sentryexporter (Go) Jun 18, 2026
brodmart Credited to brodmart
Podman: WORKDIR symlink traversal vulnerability Moderate
CVE-2026-55686 was published for github.com/containers/podman/v3 (Go) Jun 18, 2026
eriksjolund Credited to eriksjolund
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider Moderate
CVE-2026-55669 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, IAM-marco, livio-a, and Punisher100 IAM-marco IAM-marco
livio-a livio-a Punisher100 Punisher100
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider Moderate
GHSA-wxg7-w2v3-w38g was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, livio-a, and IAM-marco livio-a livio-a
IAM-marco IAM-marco
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database