Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,224 advisories

Loading
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys High
CVE-2026-33030 was published for github.com/0xJacky/nginx-ui (Go) Mar 30, 2026
f1veT Credited to f1veT
nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse High
CVE-2026-33028 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) High
CVE-2026-27018 was published for github.com/gotenberg/gotenberg/v8 (Go) Mar 30, 2026
q1uf3ng Credited to q1uf3ng
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted High
GHSA-c279-989m-238f was published for github.com/bishopfox/sliver (Go) Mar 29, 2026
VarshankNaik Credited to VarshankNaik
XPath: Boolean expression infinite loop leads to denial of service via CPU exhaustion High
CVE-2026-32287 was published for github.com/antchfx/xpath (Go) Mar 29, 2026
MinIO is Vulnerable to SSE Metadata Injection via Replication Headers High
CVE-2026-34204 was published for github.com/minio/minio (Go) Mar 27, 2026
harshavardhana Credited to harshavardhana, donatello, and shtripat donatello donatello
shtripat shtripat
Flannel has cross-node remote code execution via extension backend BackendData injection High
CVE-2026-32241 was published for github.com/flannel-io/flannel (Go) Mar 27, 2026
shachartal Credited to shachartal
act: actions/cache server allows malicious cache injection High
CVE-2026-34042 was published for github.com/nektos/act (Go) Mar 27, 2026
programmerjake Credited to programmerjake
act: Unrestricted set-env and add-path command processing enables environment injection High
CVE-2026-34041 was published for github.com/nektos/act (Go) Mar 27, 2026
golang-not-rust Credited to golang-not-rust
Fleet's unbounded request body read allows remote Denial of Service High
CVE-2026-26061 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
MagnusHJensen Credited to MagnusHJensen
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland and manizada manizada manizada
Local Incus UI web server vulnerable to nuthentication bypass High
CVE-2026-33898 was published for github.com/lxc/incus/v6/cmd/incus (Go) Mar 27, 2026
grmpyninja Credited to grmpyninja and stgraber stgraber stgraber
Incus does not verify combined fingerprint when downloading images from simplestreams servers High
CVE-2026-33542 was published for github.com/lxc/incus/v6/client (Go) Mar 27, 2026
wl2018 Credited to wl2018 and stgraber stgraber stgraber
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Contrast BadAML injection allows arbitrary code execution High
GHSA-g9ww-x58f-9g6m was published for github.com/edgelesssys/contrast (Go) Mar 26, 2026
katexochen Credited to katexochen and sespiros sespiros sespiros
BuildKit Git URL subdir component can cause access to restricted files High
CVE-2026-33748 was published for github.com/moby/buildkit (Go) Mar 26, 2026
BuildKit's Malicious frontend can cause file escape outside of storage root High
CVE-2026-33747 was published for github.com/moby/buildkit (Go) Mar 26, 2026
1seal Credited to 1seal
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect High
CVE-2026-33668 was published for code.vikunja.io/api (Go) Mar 25, 2026
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead High
CVE-2026-27889 was published for github.com/nats-io/nats-server (Go) Mar 25, 2026
Mistz1 Credited to Mistz1 and jiayuqi7813 jiayuqi7813 jiayuqi7813
NATS has pre-auth server panic via leafnode handling High
CVE-2026-33218 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS allows MQTT clients to bypass ACL checks High
CVE-2026-33217 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS has MQTT plaintext password disclosure High
CVE-2026-33216 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database