Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

330 advisories

Loading
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
GHSA-2h2p-mvfx-868w was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation Critical
CVE-2026-30861 was published for github.com/Tencent/WeKnora (Go) Mar 7, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool Critical
CVE-2026-30860 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Broken Access Control in Tenant Management Critical
CVE-2026-30855 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import Critical
CVE-2026-30832 was published for github.com/charmbracelet/soft-serve (Go) Mar 6, 2026
vnykmshr Credited to vnykmshr
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure Critical
CVE-2026-27944 was published for github.com/0xJacky/Nginx-UI (Go) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Critical
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
Rancher cloud credentials can be used through proxy API by users without access Critical
CVE-2021-25320 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher doesn't properly sanitize credentials in cluster template answers Critical
CVE-2021-36783 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse Critical
CVE-2026-28268 was published for code.vikunja.io/api (Go) Feb 28, 2026
VashuVats Credited to VashuVats
Vitess users with backup storage access can write to arbitrary file paths on restore Critical
CVE-2026-27969 was published for vitess.io/vitess (Go) Feb 27, 2026
NeuroWinter Credited to NeuroWinter
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Critical
CVE-2026-27575 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks Critical
CVE-2026-27626 was published for github.com/OliveTin/OliveTin (Go) Feb 25, 2026
ByamB4 Credited to ByamB4
Traefik affected by TLS ClientAuth Bypass on HTTP/3 Critical
GHSA-gv8r-9rw9-9697 was published for github.com/traefik/traefik (Go) Feb 20, 2026
rbqvq Credited to rbqvq
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4 Credited to ByamB4
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
CVE-2026-26190 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
0x1f Credited to 0x1f
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure Critical
CVE-2025-66630 was published for github.com/gofiber/fiber/v2 (Go) Feb 9, 2026
sixcolors Credited to sixcolors
Gogs's update .git/config file allows remote command execution Critical
CVE-2025-64111 was published for gogs.io/gogs (Go) Feb 6, 2026
ROPShell Credited to ROPShell
FrankenPHP has delayed propagation of security fixes in upstream base images Critical
GHSA-x9p2-77v6-6vhf was published for github.com/dunglas/frankenphp (Go) Feb 5, 2026
opctim Credited to opctim and dunglas dunglas dunglas
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern Critical
CVE-2025-62878 was published for github.com/rancher/local-path-provisioner (Go) Feb 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database