Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,163 advisories

Loading
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS High
CVE-2026-32254 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Mar 17, 2026
b0b0haha Credited to b0b0haha
Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace High
CVE-2026-32769 was published for github.com/ctfer-io/fullchain (Go) Mar 16, 2026
ViRb3 Credited to ViRb3
Romeo is vulnerable to Archive Slip due to missing checks in sanitization High
CVE-2026-32805 was published for github.com/ctfer-io/romeo/webserver (Go) Mar 16, 2026
tanishqshah2 Credited to tanishqshah2
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization High
CVE-2026-32771 was published for github.com/ctfer-io/monitoring (Go) Mar 16, 2026
tanishqshah2 Credited to tanishqshah2
Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace High
CVE-2026-32737 was published for github.com/ctfer-io/romeo/environment/deploy (Go) Mar 16, 2026
ViRb3 Credited to ViRb3
Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace High
CVE-2026-32768 was published for github.com/ctfer-io/chall-manager/deploy (Go) Mar 16, 2026
ViRb3 Credited to ViRb3
SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write High
CVE-2026-32749 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
IncusOS has a LUKS encryption bypass due to insufficient TPM policy High
CVE-2026-32606 was published for github.com/lxc/incus-os/incus-osd (Go) Mar 16, 2026
Mattermost fails to properly handle very long passwords High
CVE-2026-24458 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
github.com/ctfer-io/monitoring Vulnerable to Improper Access Control High
CVE-2026-32720 was published for github.com/ctfer-io/monitoring (Go) Mar 13, 2026
ViRb3 Credited to ViRb3
Ella Core vulnerable to Unauthenticated AMF DoS via malformed InitialUEMessage with undersized integrity-protected NAS payload High
CVE-2026-32319 was published for github.com/ellanetworks/core (Go) Mar 12, 2026
p1-aji Credited to p1-aji and p1-kgy p1-kgy p1-kgy
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint High
CVE-2026-32246 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
Traefik: HTTP/2 frames can cause a running server to panic High
GHSA-4hjq-9h5c-252j was published for github.com/traefik/traefik/v2 (Go) Mar 12, 2026
WolverMinion Credited to WolverMinion
SiYuan has a Full-Read SSRF via /api/network/forwardProxy High
CVE-2026-32110 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 12, 2026
ritikchaddha Credited to ritikchaddha and neo-ai-engineer neo-ai-engineer neo-ai-engineer
OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream High
CVE-2026-32102 was published for github.com/OliveTin/OliveTin (Go) Mar 12, 2026
kule500 Credited to kule500
Argo Workflows: WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode High
CVE-2026-31892 was published for github.com/argoproj/argo-workflows (Go) Mar 11, 2026
thevilledev Credited to thevilledev
Unauthorized access to Argo Workflows Template High
CVE-2026-28229 was published for github.com/argoproj/argo-workflows/v3 (Go) Mar 11, 2026
Masamuneee Credited to Masamuneee
flagd Vulnerable to Allocation of Resources Without Limits or Throttling High
CVE-2026-31866 was published for github.com/open-feature/flagd/flagd (Go) Mar 11, 2026
danipalli Credited to danipalli, marcozabel, and toddbaert marcozabel marcozabel
toddbaert toddbaert
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files High
CVE-2026-31817 was published for github.com/OliveTin/OliveTin (Go) Mar 11, 2026
iconnnjka Credited to iconnnjka
zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) High
CVE-2026-31801 was published for zotregistry.dev/zot (Go) Mar 10, 2026
1seal Credited to 1seal
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation High
CVE-2026-26308 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
botengyao Credited to botengyao, phlax, and agrawroh phlax phlax
agrawroh agrawroh
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) High
CVE-2026-30934 was published for github.com/gtsteffaniak/filebrowser (Go) Mar 9, 2026
lulaide Credited to lulaide
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database