Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,130
Maven
5,000+
npm
5,000+
NuGet
830
pip
4,436
Pub
12
RubyGems
988
Rust
1,172
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,413 advisories

Loading
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly Moderate
CVE-2026-26330 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
phlax Credited to phlax, botengyao, and agrawroh botengyao botengyao
agrawroh agrawroh
Envoy: HTTP - filter chain execution on reset streams causing UAF crash Moderate
CVE-2026-26311 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
MushroomWasp Credited to MushroomWasp, agrawroh, yanavlasov, botengyao, and phlax agrawroh agrawroh
yanavlasov yanavlasov botengyao botengyao phlax phlax
Envoy affected by off-by-one write in JsonEscaper::escapeString() Moderate
CVE-2026-26309 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
Finder16 Credited to Finder16, agrawroh, phlax, and botengyao agrawroh agrawroh
phlax phlax botengyao botengyao
Envoy vulenrable to crash for scoped ip address during DNS Moderate
CVE-2026-26310 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
antoniovleonti Credited to antoniovleonti, agrawroh, botengyao, and phlax agrawroh agrawroh
botengyao botengyao phlax phlax
Kubewarden: Cross-namespace data exfiltration via deprecated host callback binding Moderate
CVE-2026-29773 was published for github.com/kubewarden/kubewarden-controller (Go) Mar 9, 2026
thevilledev Credited to thevilledev
Netmaker has Privilege Escalation from Admin to Super-Admin via User Update Moderate
CVE-2026-29195 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning Moderate
CVE-2026-30857 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection Moderate
CVE-2026-30856 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
Caddy's vars_regexp double-expands user input, leaking env vars and files Moderate
CVE-2026-30852 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp (Go) Mar 6, 2026
sammiee5311 Credited to sammiee5311
WeKnora is Vulnerable to SSRF via Redirection Moderate
CVE-2026-30247 was published for github.com/Tencent/WeKnora (Go) Mar 5, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
OliveTin doesn't check view permission when returning dashboards Moderate
CVE-2026-30233 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
OliveTin has crash on NPE by calling APIs with invalid bindings or log references Moderate
GHSA-fwhj-785h-43hh was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
maru1009 Credited to maru1009
OliveTin's RestartAction always runs actions as guest Moderate
CVE-2026-30225 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session Moderate
CVE-2026-30224 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Gokapi has CSRF in Login Endpoint Moderate
CVE-2026-29084 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion Moderate
CVE-2026-29061 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Gogs: Access tokens get exposed through URL params in API requests Moderate
CVE-2026-26196 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
Gogs: Stored XSS in branch and wiki views through author and committer names Moderate
CVE-2026-26195 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
Gokapi has privilege escalation with auth token Moderate
CVE-2026-29060 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Forceu Credited to Forceu
Gokapi has Data Leak in Upload Status Stream Moderate
CVE-2026-28682 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Agentgateway is missing parameter sanitization in MCP to OpenAPI conversion Moderate
CVE-2026-29791 was published for github.com/agentgateway/agentgateway (Go) Mar 5, 2026
lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints Moderate
CVE-2026-3351 was published for github.com/canonical/lxd (Go) Mar 4, 2026
bugbunny-research Credited to bugbunny-research
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS Moderate
CVE-2026-26998 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
sm1ee Credited to sm1ee
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access Moderate
CVE-2026-29073 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 3, 2026
rezmoss Credited to rezmoss
Rancher Backup Operator pod's logs leak S3 tokens Moderate
CVE-2025-62879 was published for github.com/rancher/backup-restore-operator (Go) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database