Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,496 advisories

Loading
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint Moderate
CVE-2026-33638 was published for github.com/lin-snow/ech0 (Go) Mar 24, 2026
QiaoNPC Credited to QiaoNPC
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching Moderate
CVE-2026-33248 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers Moderate
CVE-2026-33246 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing Moderate
CVE-2026-33223 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS JetStream has an authorization bypass through its Management API Moderate
CVE-2026-33222 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to pre-auth DoS through WebSockets client service Moderate
CVE-2026-33219 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to MQTT hijacking via Client ID Moderate
CVE-2026-33215 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS: Message tracing can be redirected to arbitrary subject Moderate
CVE-2026-33249 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token Moderate
CVE-2026-33621 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution Moderate
CVE-2026-33623 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems Moderate
CVE-2026-33620 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl Moderate
CVE-2026-33619 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
GHSA-7789-65hx-f26w was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
GoDoxy has a Path Traversal Vulnerability in its File API Moderate
CVE-2026-33528 was published for github.com/yusing/godoxy (Go) Mar 24, 2026
ormzro Credited to ormzro
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check Moderate
CVE-2026-30886 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
Mistz1 Credited to Mistz1 and Calcium-Ion Calcium-Ion Calcium-Ion
New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure Moderate
CVE-2026-32879 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
asdf2adsfad Credited to asdf2adsfad and seefs001 seefs001 seefs001
NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter Moderate
CVE-2026-3864 was published for github.com/kubernetes-csi/csi-driver-nfs (Go) Mar 21, 2026
Ory Oathkeeper has an authentication bypass by usage of untrusted header Moderate
CVE-2026-33495 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Syft improper temporary file cleanup Moderate
CVE-2026-33481 was published for github.com/anchore/syft (Go) Mar 20, 2026
htrgouvea Credited to htrgouvea
Vikunja Affected by DoS via Image Preview Generation Moderate
CVE-2026-33474 was published for code.vikunja.io/api (Go) Mar 20, 2026
Aryma-f4 Credited to Aryma-f4
Vikunja has TOTP Reuse During Validity Window Moderate
CVE-2026-33473 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Vikunja has a 2FA Bypass via Caldav Basic Auth Moderate
CVE-2026-33315 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
Vikunja read-only users can delete project background images via broken object-level authorization Moderate
CVE-2026-33312 was published for code.vikunja.io/api (Go) Mar 20, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database