Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,134 advisories

Loading
x402 SDK Security Advisory High
GHSA-qr2g-p6q7-w82m was published for @x402/svm (Go) Mar 7, 2026
WeKnora has Broken Access Control - Cross-Tenant Data Exposure High
CVE-2026-30859 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources High
CVE-2026-30858 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
Zarf's symlink targets in archives are not validated against destination directory High
CVE-2026-29064 was published for github.com/zarf-dev/zarf/src/pkg/archive (Go) Mar 6, 2026
joonas Credited to joonas
CoreDNS Loop Detection Denial of Service Vulnerability High
CVE-2026-26018 was published for github.com/coredns/coredns (Go) Mar 6, 2026
YOUNEVSKY Credited to YOUNEVSKY
PinchTab has SSRF with Full Response Exfiltration via Download Handler High
CVE-2026-30834 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
CoreDNS ACL Bypass High
CVE-2026-26017 was published for github.com/coredns/coredns (Go) Mar 6, 2026
YOUNEVSKY Credited to YOUNEVSKY
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Gogs: DOM-based XSS via milestone selection High
CVE-2026-26276 was published for gogs.io/gogs (Go) Mar 5, 2026
odgrso Credited to odgrso
Gogs: Release tag option injection in release deletion High
CVE-2026-26194 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
Gogs: Stored XSS via data URI in issue comments High
CVE-2026-26022 was published for gogs.io/gogs (Go) Mar 5, 2026
dxlerYT Credited to dxlerYT
Gokapi has Stored XSS in SVG Hotlinks High
CVE-2026-28683 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu and Forceu Forceu Forceu
Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows High
CVE-2025-15558 was published for github.com/docker/cli (Go) Mar 5, 2026
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover High
CVE-2026-29192 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication High
CVE-2026-29193 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint High
CVE-2026-29771 was published for github.com/gravitl/netmaker (Go) Mar 4, 2026
m4dn355 Credited to m4dn355
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) High
CVE-2026-29054 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
1seal Credited to 1seal
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation High
CVE-2026-29042 was published for github.com/nuclio/nuclio (Go) Mar 4, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) High
CVE-2026-26999 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
1seal Credited to 1seal
Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user High
GHSA-hwm2-4ph6-w6m5 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's Azure AD permission changes are not reflected on active sessions High
CVE-2023-22648 was published for github.com/rancher/rancher (Go) Mar 3, 2026
yvespp Credited to yvespp
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling High
CVE-2026-28789 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory High
CVE-2026-28492 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 2, 2026
uug4na Credited to uug4na and hacdias hacdias hacdias
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database